Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected tags (for example, parse-server#4.9.3). The code behind the tags was not reviewed or approved, and although no malicious code was identified, the introduction of security vulnerabilities could not be ruled out.
History

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected tags (for example, parse-server#4.9.3). The code behind the tags was not reviewed or approved, and although no malicious code was identified, the introduction of security vulnerabilities could not be ruled out.
Title Parse Server - Arbitrary Code Execution via Malicious Version Tags
First Time appeared Parseplatform
Parseplatform parse-server
Weaknesses CWE-494
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-06-25T21:41:02.187Z

Updated: 2026-06-26T18:42:21.725Z

Reserved: 2026-06-21T02:08:33.232Z

Link: CVE-2021-47987

cve-icon Vulnrichment

Updated: 2026-06-26T18:14:36.303Z

cve-icon NVD

No data.

cve-icon Redhat

No data.