Skip to content

Tags: cyphercodes/parse-server

Tags

9.9.1-alpha.9

Toggle 9.9.1-alpha.9's commit message
chore(release): 9.9.1-alpha.9 [skip ci]

## [9.9.1-alpha.9](parse-community/parse-server@9.9.1-alpha.8...9.9.1-alpha.9) (2026-06-11)

### Bug Fixes

* rateLimit on exact static routes is bypassed by appending a query string ([parse-community#10500](parse-community#10500)) ([880e8e6](parse-community@880e8e6))

9.9.1-alpha.8

Toggle 9.9.1-alpha.8's commit message
chore(release): 9.9.1-alpha.8 [skip ci]

## [9.9.1-alpha.8](parse-community/parse-server@9.9.1-alpha.7...9.9.1-alpha.8) (2026-06-10)

### Bug Fixes

* LiveQuery subscriptions leak when a client reuses a subscribe requestId ([parse-community#10499](parse-community#10499)) ([3fad4fb](parse-community@3fad4fb))

9.9.1-alpha.7

Toggle 9.9.1-alpha.7's commit message
chore(release): 9.9.1-alpha.7 [skip ci]

## [9.9.1-alpha.7](parse-community/parse-server@9.9.1-alpha.6...9.9.1-alpha.7) (2026-06-06)

### Bug Fixes

* Cloud Function multipart requests bypass the maxUploadSize limit ([parse-community#10498](parse-community#10498)) ([f12e1c3](parse-community@f12e1c3))

9.9.1-alpha.6

Toggle 9.9.1-alpha.6's commit message
chore(release): 9.9.1-alpha.6 [skip ci]

## [9.9.1-alpha.6](parse-community/parse-server@9.9.1-alpha.5...9.9.1-alpha.6) (2026-06-03)

### Bug Fixes

* Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL ([GHSA-wmwx-jr2p-4j4r](GHSA-wmwx-jr2p-4j4r)) ([parse-community#10493](parse-community#10493)) ([43658f1](parse-community@43658f1))

9.9.1-alpha.5

Toggle 9.9.1-alpha.5's commit message
chore(release): 9.9.1-alpha.5 [skip ci]

## [9.9.1-alpha.5](parse-community/parse-server@9.9.1-alpha.4...9.9.1-alpha.5) (2026-06-03)

### Bug Fixes

* Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied ([GHSA-75v4-m273-5j49](GHSA-75v4-m273-5j49)) ([parse-community#10492](parse-community#10492)) ([83e90ed](parse-community@83e90ed))

8.6.80

Toggle 8.6.80's commit message
chore(release): 8.6.80 [skip ci]

## [8.6.80](parse-community/parse-server@8.6.79...8.6.80) (2026-06-03)

### Bug Fixes

* Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL ([GHSA-wmwx-jr2p-4j4r](GHSA-wmwx-jr2p-4j4r)) ([parse-community#10494](parse-community#10494)) ([efef11b](parse-community@efef11b))

9.9.1-alpha.4

Toggle 9.9.1-alpha.4's commit message
chore(release): 9.9.1-alpha.4 [skip ci]

## [9.9.1-alpha.4](parse-community/parse-server@9.9.1-alpha.3...9.9.1-alpha.4) (2026-06-01)

### Bug Fixes

* Stored XSS via trailing-dot filename bypassing file upload extension blocklist ([GHSA-7wqv-xjf3-x35v](GHSA-7wqv-xjf3-x35v)) ([parse-community#10489](parse-community#10489)) ([66484ce](parse-community@66484ce))

8.6.79

Toggle 8.6.79's commit message
chore(release): 8.6.79 [skip ci]

## [8.6.79](parse-community/parse-server@8.6.78...8.6.79) (2026-06-01)

### Bug Fixes

* Stored XSS via trailing-dot filename bypassing file upload extension blocklist ([GHSA-7wqv-xjf3-x35v](GHSA-7wqv-xjf3-x35v)) ([parse-community#10490](parse-community#10490)) ([9e99279](parse-community@9e99279))

9.9.1-alpha.3

Toggle 9.9.1-alpha.3's commit message
chore(release): 9.9.1-alpha.3 [skip ci]

## [9.9.1-alpha.3](parse-community/parse-server@9.9.1-alpha.2...9.9.1-alpha.3) (2026-05-27)

### Bug Fixes

* Server option routeAllowList is bypassable through batch sub-requests ([GHSA-p84r-h6rx-f2xr](GHSA-p84r-h6rx-f2xr)) ([parse-community#10482](parse-community#10482)) ([552c6dd](parse-community@552c6dd))

9.9.1-alpha.2

Toggle 9.9.1-alpha.2's commit message
chore(release): 9.9.1-alpha.2 [skip ci]

## [9.9.1-alpha.2](parse-community/parse-server@9.9.1-alpha.1...9.9.1-alpha.2) (2026-05-18)

### Bug Fixes

* GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers ([GHSA-8cph-rgr4-g5vj](GHSA-8cph-rgr4-g5vj)) ([parse-community#10467](parse-community#10467)) ([155123a](parse-community@155123a))