CVE-2026-27609

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-27609
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8 Release Notes
https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.42:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.43:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.44:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0:alpha.9:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.3.0-alpha.42:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.4.0:alpha.5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.5.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.5.0:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.12:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.13:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:7.6.0:alpha.9:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.0.0:alpha.6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.12:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.13:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.0:alpha.9:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.1.1:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.12:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.13:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.14:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.15:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.16:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.17:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.18:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.19:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.20:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.21:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.22:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.23:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.24:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.25:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.26:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.27:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.2.0:alpha.9:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.10:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.11:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.12:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.13:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.14:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.15:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.16:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.17:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.18:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.19:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.20:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.21:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.22:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.23:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.24:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.25:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.26:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.27:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.28:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.29:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.30:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.31:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.32:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.33:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.34:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.35:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.36:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.37:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.38:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.39:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.40:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.41:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.42:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.43:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.8:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.3.0:alpha.9:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.4.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.4.1:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.4.1:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.5.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.5.0:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.5.0:alpha.3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.5.0:alpha.4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.5.0:alpha.5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.5.0:alpha.6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:8.5.0:alpha.7:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:9.0.0:alpha.1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:9.0.0:alpha.2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:9.0.0:alpha.3:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:9.0.0:alpha.4:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:9.0.0:alpha.5:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:9.0.0:alpha.6:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse_dashboard:9.0.0:alpha.7:*:*:*:node.js:*:*
History

No history.

Information

Published : 2026-02-25 03:16

Updated : 2026-02-27 19:16

NVD link : CVE-2026-27609

Mitre link : CVE-2026-27609

CVE.ORG link : CVE-2026-27609

JSON object : View

Products Affected

parseplatform

  • parse_dashboard
CWE
CWE-352

Cross-Site Request Forgery (CSRF)