Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload
- Severity:
- High
Description
A stored cross-site scripting (XSS) vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with Content-Type: image/svg+xml and without protective headers, causing the browser to execute embedded scripts in the Parse Server origin.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.17 >= 9.0.0, < 9.5.2-alpha.4** Patched version(s): **8.6.17 9.5.2-alpha.4**
References
Related Issues
- Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868
- Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
- Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728
- CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 11, 2026