CVE-2026-43930

Summary

parse-server: MFA SMS one-time password accepted twice under concurrent login

Severity

low

EPSS

0.2% (p14)

Also known as

GHSA-jpq4-7fmq-q5fj, BIT-parse-2026-43930

Published

2026-05-05

References

• https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj
• https://nvd.nist.gov/vuln/detail/CVE-2026-43930
• https://github.com/parse-community/parse-server/pull/10448

Related advisories

• GHSA-cgxm-vr2f-6fj8 — high · npm/parse-server
• CVE-2026-47138 — high · npm/parse-server
• CVE-2026-34784 — high · npm/parse-server
• CVE-2026-47248 — medium · npm/parse-server
• CVE-2026-39381 — medium · npm/parse-server
• CVE-2026-39321 — medium · npm/parse-server
• CVE-2026-34595 — medium · npm/parse-server
• CVE-2026-34574 — medium · npm/parse-server

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity