Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables
- Severity:
- Medium
Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server’s password reset and email verification HTML pages.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 9.0.0, < 9.1.0-alpha.3 < 8.6.1** Patched version(s): **9.1.0-alpha.3 8.6.1**
References
Related Issues
- Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter - CVE-2025-68150
- Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) 11 - CVE-2025-65944
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) 10 - CVE-2025-65944
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on December 16, 2025