CVE-2026-27609

EUVD-2026-8592

25.02.2026, 03:16

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
parseplatform	parse_dashboard	7.3.0:alpha.42
parseplatform	parse_dashboard	7.3.0:alpha.43
parseplatform	parse_dashboard	7.3.0:alpha.44
parseplatform	parse_dashboard	7.3.0:alpha.5
parseplatform	parse_dashboard	7.3.0:alpha.6
parseplatform	parse_dashboard	7.3.0:alpha.7
parseplatform	parse_dashboard	7.3.0:alpha.8
parseplatform	parse_dashboard	7.3.0:alpha.9
parseplatform	parse_dashboard	7.3.0-alpha.42
parseplatform	parse_dashboard	7.4.0:alpha.1
parseplatform	parse_dashboard	7.4.0:alpha.2
parseplatform	parse_dashboard	7.4.0:alpha.3
parseplatform	parse_dashboard	7.4.0:alpha.4
parseplatform	parse_dashboard	7.4.0:alpha.5
parseplatform	parse_dashboard	7.5.0:alpha.1
parseplatform	parse_dashboard	7.5.0:alpha.2
parseplatform	parse_dashboard	7.6.0:alpha.1
parseplatform	parse_dashboard	7.6.0:alpha.10
parseplatform	parse_dashboard	7.6.0:alpha.11
parseplatform	parse_dashboard	7.6.0:alpha.12
parseplatform	parse_dashboard	7.6.0:alpha.13
parseplatform	parse_dashboard	7.6.0:alpha.2
parseplatform	parse_dashboard	7.6.0:alpha.3
parseplatform	parse_dashboard	7.6.0:alpha.4
parseplatform	parse_dashboard	7.6.0:alpha.5
parseplatform	parse_dashboard	7.6.0:alpha.6
parseplatform	parse_dashboard	7.6.0:alpha.7
parseplatform	parse_dashboard	7.6.0:alpha.8
parseplatform	parse_dashboard	7.6.0:alpha.9
parseplatform	parse_dashboard	8.0.0:alpha.1
parseplatform	parse_dashboard	8.0.0:alpha.2
parseplatform	parse_dashboard	8.0.0:alpha.3
parseplatform	parse_dashboard	8.0.0:alpha.4
parseplatform	parse_dashboard	8.0.0:alpha.5
parseplatform	parse_dashboard	8.0.0:alpha.6
parseplatform	parse_dashboard	8.1.0:alpha.1
parseplatform	parse_dashboard	8.1.0:alpha.10
parseplatform	parse_dashboard	8.1.0:alpha.11
parseplatform	parse_dashboard	8.1.0:alpha.12
parseplatform	parse_dashboard	8.1.0:alpha.13
parseplatform	parse_dashboard	8.1.0:alpha.2
parseplatform	parse_dashboard	8.1.0:alpha.3
parseplatform	parse_dashboard	8.1.0:alpha.4
parseplatform	parse_dashboard	8.1.0:alpha.5
parseplatform	parse_dashboard	8.1.0:alpha.6
parseplatform	parse_dashboard	8.1.0:alpha.7
parseplatform	parse_dashboard	8.1.0:alpha.8
parseplatform	parse_dashboard	8.1.0:alpha.9
parseplatform	parse_dashboard	8.1.1:alpha.1
parseplatform	parse_dashboard	8.2.0:alpha.1
parseplatform	parse_dashboard	8.2.0:alpha.10
parseplatform	parse_dashboard	8.2.0:alpha.11
parseplatform	parse_dashboard	8.2.0:alpha.12
parseplatform	parse_dashboard	8.2.0:alpha.13
parseplatform	parse_dashboard	8.2.0:alpha.14
parseplatform	parse_dashboard	8.2.0:alpha.15
parseplatform	parse_dashboard	8.2.0:alpha.16
parseplatform	parse_dashboard	8.2.0:alpha.17
parseplatform	parse_dashboard	8.2.0:alpha.18
parseplatform	parse_dashboard	8.2.0:alpha.19
parseplatform	parse_dashboard	8.2.0:alpha.2
parseplatform	parse_dashboard	8.2.0:alpha.20
parseplatform	parse_dashboard	8.2.0:alpha.21
parseplatform	parse_dashboard	8.2.0:alpha.22
parseplatform	parse_dashboard	8.2.0:alpha.23
parseplatform	parse_dashboard	8.2.0:alpha.24
parseplatform	parse_dashboard	8.2.0:alpha.25
parseplatform	parse_dashboard	8.2.0:alpha.26
parseplatform	parse_dashboard	8.2.0:alpha.27
parseplatform	parse_dashboard	8.2.0:alpha.3
parseplatform	parse_dashboard	8.2.0:alpha.4
parseplatform	parse_dashboard	8.2.0:alpha.5
parseplatform	parse_dashboard	8.2.0:alpha.6
parseplatform	parse_dashboard	8.2.0:alpha.7
parseplatform	parse_dashboard	8.2.0:alpha.8
parseplatform	parse_dashboard	8.2.0:alpha.9
parseplatform	parse_dashboard	8.3.0:alpha.1
parseplatform	parse_dashboard	8.3.0:alpha.10
parseplatform	parse_dashboard	8.3.0:alpha.11
parseplatform	parse_dashboard	8.3.0:alpha.12
parseplatform	parse_dashboard	8.3.0:alpha.13
parseplatform	parse_dashboard	8.3.0:alpha.14
parseplatform	parse_dashboard	8.3.0:alpha.15
parseplatform	parse_dashboard	8.3.0:alpha.16
parseplatform	parse_dashboard	8.3.0:alpha.17
parseplatform	parse_dashboard	8.3.0:alpha.18
parseplatform	parse_dashboard	8.3.0:alpha.19
parseplatform	parse_dashboard	8.3.0:alpha.2
parseplatform	parse_dashboard	8.3.0:alpha.20
parseplatform	parse_dashboard	8.3.0:alpha.21
parseplatform	parse_dashboard	8.3.0:alpha.22
parseplatform	parse_dashboard	8.3.0:alpha.23
parseplatform	parse_dashboard	8.3.0:alpha.24
parseplatform	parse_dashboard	8.3.0:alpha.25
parseplatform	parse_dashboard	8.3.0:alpha.26
parseplatform	parse_dashboard	8.3.0:alpha.27
parseplatform	parse_dashboard	8.3.0:alpha.28
parseplatform	parse_dashboard	8.3.0:alpha.29
parseplatform	parse_dashboard	8.3.0:alpha.3
parseplatform	parse_dashboard	8.3.0:alpha.30
parseplatform	parse_dashboard	8.3.0:alpha.31
parseplatform	parse_dashboard	8.3.0:alpha.32
parseplatform	parse_dashboard	8.3.0:alpha.33
parseplatform	parse_dashboard	8.3.0:alpha.34
parseplatform	parse_dashboard	8.3.0:alpha.35
parseplatform	parse_dashboard	8.3.0:alpha.36
parseplatform	parse_dashboard	8.3.0:alpha.37
parseplatform	parse_dashboard	8.3.0:alpha.38
parseplatform	parse_dashboard	8.3.0:alpha.39
parseplatform	parse_dashboard	8.3.0:alpha.4
parseplatform	parse_dashboard	8.3.0:alpha.40
parseplatform	parse_dashboard	8.3.0:alpha.41
parseplatform	parse_dashboard	8.3.0:alpha.42
parseplatform	parse_dashboard	8.3.0:alpha.43
parseplatform	parse_dashboard	8.3.0:alpha.5
parseplatform	parse_dashboard	8.3.0:alpha.6
parseplatform	parse_dashboard	8.3.0:alpha.7
parseplatform	parse_dashboard	8.3.0:alpha.8
parseplatform	parse_dashboard	8.3.0:alpha.9
parseplatform	parse_dashboard	8.4.0:alpha.1
parseplatform	parse_dashboard	8.4.1:alpha.1
parseplatform	parse_dashboard	8.4.1:alpha.2
parseplatform	parse_dashboard	8.5.0:alpha.1
parseplatform	parse_dashboard	8.5.0:alpha.2
parseplatform	parse_dashboard	8.5.0:alpha.3
parseplatform	parse_dashboard	8.5.0:alpha.4
parseplatform	parse_dashboard	8.5.0:alpha.5
parseplatform	parse_dashboard	8.5.0:alpha.6
parseplatform	parse_dashboard	8.5.0:alpha.7
parseplatform	parse_dashboard	9.0.0:alpha.1
parseplatform	parse_dashboard	9.0.0:alpha.2
parseplatform	parse_dashboard	9.0.0:alpha.3
parseplatform	parse_dashboard	9.0.0:alpha.4
parseplatform	parse_dashboard	9.0.0:alpha.5
parseplatform	parse_dashboard	9.0.0:alpha.6
parseplatform	parse_dashboard	9.0.0:alpha.7

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8

https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc