Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.4 and 8.6.17, a stored cross-site scripting (XSS) vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with Content-Type: image/svg+xml and without protective headers, causing the browser to execute embedded scripts in the Parse Server origin. This can be exploited to steal session tokens from localStorage and achieve account takeover. The default fileExtensions option blocks HTML file extensions but does not block SVG, which is a well-known XSS vector. All Parse Server deployments where file upload is enabled for authenticated users (the default) are affected. This vulnerability is fixed in 9.5.2-alpha.4 and 8.6.17.
Published: 2026-03-10
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting that allows an authenticated user to execute JavaScript and steal session tokens, leading to account takeover.
Action: Patch Immediately
AI Analysis

Impact

Parse Server, an open‑source Node.js backend, had a stored XSS flaw before version 9.5.2‑alpha.4 and 8.6.17. Emitted SVG files containing JavaScript were served with an image/svg+xml content type and no protective headers. A browser would execute the script in the Parse Server origin context. An attacker who could authenticate could upload a crafted SVG, then use the injected script to read session tokens from localStorage and perform an account takeover. The weakness corresponds to CWE‑79, reflecting a vulnerability in input validation that permits XSS.

Affected Systems

All Parse Server deployments built with parse-community:parse-server on node.js that had file upload enabled for authenticated users are affected. Versions prior to 9.5.2‑alpha.4 and 8.6.17 lack the mitigation; updating to 9.5.2‑alpha.4 or 8.6.17 removes the vulnerability. The default fileExtensions setting blocks HTML extensions but does not block SVG, which permits the attack vector.

Risk and Exploitability

The flaw carries a CVSS score of 8.3, indicating high severity, while the EPSS score is less than 1%, suggesting a low current exploitation probability. It is not listed in the CISA KEV catalog. Exploitation requires an authenticated session to upload the file, but no additional privilege escalation or network-level access is needed. Once a malicious SVG is served inline, the browser will run the injected JavaScript, enabling theft of credentials and session hijacking.

Generated by OpenCVE AI on April 16, 2026 at 03:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.5.2‑alpha.4 or newer 8.6.17 or greater.
  • If upgrading is not immediately possible, block SVG uploads by adding 'svg' to the rejected file extensions or reconfiguring fileExtensions to exclude SVG.
  • Ensure that user‑uploaded files are served with secure headers such as X‑Content‑Type‑Options: nosniff and Content‑Disposition: attachment, or implement a Content Security Policy that disallows inline script execution from SVG resources.
  • Verify and enforce that only authenticated users can upload, or restrict upload privileges to trusted roles.

Generated by OpenCVE AI on April 16, 2026 at 03:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hcj7-6gxh-24ww Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload
History

Wed, 11 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.5.2:alpha3:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Tue, 10 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.4 and 8.6.17, a stored cross-site scripting (XSS) vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with Content-Type: image/svg+xml and without protective headers, causing the browser to execute embedded scripts in the Parse Server origin. This can be exploited to steal session tokens from localStorage and achieve account takeover. The default fileExtensions option blocks HTML file extensions but does not block SVG, which is a well-known XSS vector. All Parse Server deployments where file upload is enabled for authenticated users (the default) are affected. This vulnerability is fixed in 9.5.2-alpha.4 and 8.6.17.
Title Parse Server has stored cross-site scripting (XSS) via SVG file upload
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T20:41:46.654Z

Reserved: 2026-03-07T17:34:39.980Z

Link: CVE-2026-30948

cve-icon Vulnrichment

Updated: 2026-03-10T20:41:39.429Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T21:16:47.660

Modified: 2026-03-11T17:14:26.650

Link: CVE-2026-30948

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:30:06Z

Weaknesses