Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables
- Severity:
- Medium
Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server’s password reset and email verification HTML pages.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 9.0.0, < 9.1.0-alpha.3 < 8.6.1** Patched version(s): **9.1.0-alpha.3 8.6.1**
References
Related Issues
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia (GHSA-7f2v-3qq3-vvjf) - CVE-2025-59840
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia (GHSA-7f2v-3qq3-vvjf) 2 - CVE-2025-59840
- Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on December 16, 2025