Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types
- Severity:
- Medium
Description
An attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server fileUpload.fileExtensions option. The file can contain malicious code, for example JavaScript in an SVG or XHTML file.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.30 >= 9.0.0-alpha.1, < 9.6.0-alpha.4** Patched version(s): **8.6.30 9.6.0-alpha.4**
References
Related Issues
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format - CVE-2025-64430
- Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728
- Parse Server vulnerable to schema poisoning via prototype pollution in deep copy - CVE-2026-32878
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 11, 2026