Tags: cyphercodes/parse-server
Tags
chore(release): 9.9.1-alpha.9 [skip ci] ## [9.9.1-alpha.9](parse-community/parse-server@9.9.1-alpha.8...9.9.1-alpha.9) (2026-06-11) ### Bug Fixes * rateLimit on exact static routes is bypassed by appending a query string ([parse-community#10500](parse-community#10500)) ([880e8e6](parse-community@880e8e6))
chore(release): 9.9.1-alpha.8 [skip ci] ## [9.9.1-alpha.8](parse-community/parse-server@9.9.1-alpha.7...9.9.1-alpha.8) (2026-06-10) ### Bug Fixes * LiveQuery subscriptions leak when a client reuses a subscribe requestId ([parse-community#10499](parse-community#10499)) ([3fad4fb](parse-community@3fad4fb))
chore(release): 9.9.1-alpha.7 [skip ci] ## [9.9.1-alpha.7](parse-community/parse-server@9.9.1-alpha.6...9.9.1-alpha.7) (2026-06-06) ### Bug Fixes * Cloud Function multipart requests bypass the maxUploadSize limit ([parse-community#10498](parse-community#10498)) ([f12e1c3](parse-community@f12e1c3))
chore(release): 9.9.1-alpha.6 [skip ci] ## [9.9.1-alpha.6](parse-community/parse-server@9.9.1-alpha.5...9.9.1-alpha.6) (2026-06-03) ### Bug Fixes * Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL ([GHSA-wmwx-jr2p-4j4r](GHSA-wmwx-jr2p-4j4r)) ([parse-community#10493](parse-community#10493)) ([43658f1](parse-community@43658f1))
chore(release): 9.9.1-alpha.5 [skip ci] ## [9.9.1-alpha.5](parse-community/parse-server@9.9.1-alpha.4...9.9.1-alpha.5) (2026-06-03) ### Bug Fixes * Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied ([GHSA-75v4-m273-5j49](GHSA-75v4-m273-5j49)) ([parse-community#10492](parse-community#10492)) ([83e90ed](parse-community@83e90ed))
chore(release): 8.6.80 [skip ci] ## [8.6.80](parse-community/parse-server@8.6.79...8.6.80) (2026-06-03) ### Bug Fixes * Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL ([GHSA-wmwx-jr2p-4j4r](GHSA-wmwx-jr2p-4j4r)) ([parse-community#10494](parse-community#10494)) ([efef11b](parse-community@efef11b))
chore(release): 9.9.1-alpha.4 [skip ci] ## [9.9.1-alpha.4](parse-community/parse-server@9.9.1-alpha.3...9.9.1-alpha.4) (2026-06-01) ### Bug Fixes * Stored XSS via trailing-dot filename bypassing file upload extension blocklist ([GHSA-7wqv-xjf3-x35v](GHSA-7wqv-xjf3-x35v)) ([parse-community#10489](parse-community#10489)) ([66484ce](parse-community@66484ce))
chore(release): 8.6.79 [skip ci] ## [8.6.79](parse-community/parse-server@8.6.78...8.6.79) (2026-06-01) ### Bug Fixes * Stored XSS via trailing-dot filename bypassing file upload extension blocklist ([GHSA-7wqv-xjf3-x35v](GHSA-7wqv-xjf3-x35v)) ([parse-community#10490](parse-community#10490)) ([9e99279](parse-community@9e99279))
chore(release): 9.9.1-alpha.3 [skip ci] ## [9.9.1-alpha.3](parse-community/parse-server@9.9.1-alpha.2...9.9.1-alpha.3) (2026-05-27) ### Bug Fixes * Server option routeAllowList is bypassable through batch sub-requests ([GHSA-p84r-h6rx-f2xr](GHSA-p84r-h6rx-f2xr)) ([parse-community#10482](parse-community#10482)) ([552c6dd](parse-community@552c6dd))
chore(release): 9.9.1-alpha.2 [skip ci] ## [9.9.1-alpha.2](parse-community/parse-server@9.9.1-alpha.1...9.9.1-alpha.2) (2026-05-18) ### Bug Fixes * GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers ([GHSA-8cph-rgr4-g5vj](GHSA-8cph-rgr4-g5vj)) ([parse-community#10467](parse-community#10467)) ([155123a](parse-community@155123a))
PreviousNext