9.9.1-alpha.4

9.9.1-alpha.4 (2026-06-01)

Bug Fixes

• Stored XSS via trailing-dot filename bypassing file upload extension blocklist (GHSA-7wqv-xjf3-x35v) (#10489) (66484ce)

8.6.79

8.6.79 (2026-06-01)

Bug Fixes

• Stored XSS via trailing-dot filename bypassing file upload extension blocklist (GHSA-7wqv-xjf3-x35v) (#10490) (9e99279)

9.9.1-alpha.3

9.9.1-alpha.3 (2026-05-27)

Bug Fixes

• Server option routeAllowList is bypassable through batch sub-requests (GHSA-p84r-h6rx-f2xr) (#10482) (552c6dd)

9.9.1-alpha.2

9.9.1-alpha.2 (2026-05-18)

Bug Fixes

• GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers (GHSA-8cph-rgr4-g5vj) (#10467) (155123a)

8.6.78

8.6.78 (2026-05-18)

Bug Fixes

• GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers (GHSA-8cph-rgr4-g5vj) (#10468) (a0ddb85)

9.9.1-alpha.1

9.9.1-alpha.1 (2026-05-17)

Bug Fixes

• Pre-authentication denial of service via client version header regex backtracking (GHSA-38m6-82c8-4xfm) (#10463) (56c159e)

8.6.77

8.6.77 (2026-05-17)

Bug Fixes

• Pre-authentication denial of service via client version header regex backtracking (GHSA-38m6-82c8-4xfm) (#10464) (8523425)

9.9.0

9.9.0 (2026-05-01)

Bug Fixes

• Context mutations leak across requests in ParseServerRESTController (#10291) (60a58ec)
• MFA SMS one-time password accepted twice under concurrent login (GHSA-jpq4-7fmq-q5fj) (#10448) (725be0d)

Features

• Add rawValues and rawFieldNames options for aggregation queries (#10438) (f26700e)
• Add installation deviceToken deduplication options (#10451) (9fee1a0)

9.9.0-alpha.3

9.9.0-alpha.3 (2026-04-30)

Features

• Add installation deviceToken deduplication options (#10451) (9fee1a0)

9.9.0-alpha.2

9.9.0-alpha.2 (2026-04-26)

Bug Fixes

• MFA SMS one-time password accepted twice under concurrent login (GHSA-jpq4-7fmq-q5fj) (#10448) (725be0d)