Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries

Description

An attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter (e.g. ;charset=utf-8) to the Content-Type header. This causes the extension validation to fail matching against the blocklist, allowing active content to be stored and served under the application’s domain.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **< 8.6.41

  >= 9.0.0, < 9.6.0-alpha.15**

• Patched version(s): **8.6.41

  9.6.0-alpha.15**

References

• GHSA-42ph-pf9q-cr72
• CVE-2026-32728
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Parse Server: File upload Content-Type override via extension mismatch - CVE-2026-35200
• Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value - CVE-2026-34595
• Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498
• Parse Server has a protected field change detection oracle via LiveQuery watch parameter - CVE-2026-33429

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:

npm

parse-server