Detections
Analytics
SCA: security update for parse-server (GHSA-h29g-q5c2-9h4f)
medium Tenable Self-Hosted Container Security Plugin ID 439449
Description
There are packages installed that are affected by a vulnerability referenced in the following CVE:- Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.
Prior to versions 8.6.51 and 9.6.0-alpha.40, the Pages route and legacy PublicAPI route for resending
email verification links return distinguishable responses depending on whether the provided username
exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames
by observing different redirect targets. The existing emailVerifySuccessOnInvalidEmail configuration
option, which is enabled by default and protects the API route against this, did not apply to these
routes. This issue has been patched in versions 8.6.51 and 9.6.0-alpha.40. (CVE-2026-33323)
Solution
Update the parse-server library and its related packages to version 8.6.51 or later.See Also
Plugin Details
Severity: Medium
ID: 439449
Version: Revision 1.4
Type: Local
Family: SCA Checks
Published: 3/30/2026
Updated: 6/15/2026
Risk Information
VPR
Risk Factor: Low
Score: 2.2
Vendor
Vendor Severity: Medium
CVSS v2
Risk Factor: Medium
Base Score: 5
Temporal Score: 3.7
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS Score Source: CVE-2026-33323
CVSS v3
Risk Factor: Medium
Base Score: 5.3
Temporal Score: 4.6
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
CVSS v4
Risk Factor: Medium
Base Score: 6.3
Threat Score: 1.7
Threat Vector: CVSS:4.0/E:U
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Vulnerability Information
Exploit Ease: No known exploits are available
Patch Publication Date: 3/19/2026
Vulnerability Publication Date: 3/19/2026
Reference Information
CVE: CVE-2026-33323
cwe: CWE-204