Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.4 and 8.6.30, an attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server fileUpload.fileExtensions option. The file can contain malicious code, for example JavaScript in an SVG or XHTML file. When the file is accessed via its URL, the browser renders the file and executes the malicious code in the context of the Parse Server domain. This is a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to steal session tokens, redirect users, or perform actions on behalf of other users. Affected file extensions and content types include .svgz, .xht, .xml, .xsl, .xslt, and content types application/xhtml+xml and application/xslt+xml for extensionless uploads. Uploading of .html, .htm, .shtml, .xhtml, and .svg files was already blocked. This vulnerability is fixed in 9.6.0-alpha.4 and 8.6.30.
Published: 2026-03-11
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Patch Now
AI Analysis

Impact

Parse Server allows an attacker to upload a file with a file extension or MIME type that is not blocked by the default fileUpload.fileExtensions option. The file can contain malicious code such as JavaScript inside an SVG or XHTML payload. When accessed via its URL, the browser renders the file and executes the embedded script in the context of the Parse Server domain. This stored XSS vulnerability can be used to steal session tokens, redirect users, or perform actions on behalf of other users.

Affected Systems

All Parse Server releases prior to v9.6.0‑alpha.4 and v8.6.30 are affected. The vulnerability stems from the fileUpload.fileExtensions setting that does not filter the following types by default: .svgz, .xht, .xml, .xsl, .xslt, and the content types application/xhtml+xml and application/xslt+xml for uploads without an extension. Uploads of .html, .htm, .shtml, .xhtml, and .svg files were already blocked, so the exploit requires one of the other allowed types.

Risk and Exploitability

The CVSS v3 score of 6.3 indicates a medium severity. The EPSS probability is below 1 %, which suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires remote access to the file‑upload endpoint and the ability to access the uploaded file via its URL, typically by an authenticated or anonymous attacker who can upload a crafted file. Once the file is accessed, the stored XSS effect is achieved.

Generated by OpenCVE AI on March 17, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.6.0‑alpha.4 or 8.6.30
  • Restrict uploaded file extensions to safe types such as .html, .htm, .shtml, .xhtml, and .svg by updating the fileUpload.fileExtensions configuration
  • Serve uploaded files with strict Content-Type headers and consider adding X‑Content‑Type‑Options: nosniff to prevent rendering by the browser
  • Verify that access to uploaded files is appropriately authenticated and authorization is enforced

Generated by OpenCVE AI on March 17, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v5hf-f4c3-m5rv Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types
History

Fri, 13 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Parseplatform
Parseplatform parse-server
CPEs cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:parseplatform:parse-server:9.6.0:alpha3:*:*:*:node.js:*:*
Vendors & Products Parseplatform
Parseplatform parse-server
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.4 and 8.6.30, an attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server fileUpload.fileExtensions option. The file can contain malicious code, for example JavaScript in an SVG or XHTML file. When the file is accessed via its URL, the browser renders the file and executes the malicious code in the context of the Parse Server domain. This is a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to steal session tokens, redirect users, or perform actions on behalf of other users. Affected file extensions and content types include .svgz, .xht, .xml, .xsl, .xslt, and content types application/xhtml+xml and application/xslt+xml for extensionless uploads. Uploading of .html, .htm, .shtml, .xhtml, and .svg files was already blocked. This vulnerability is fixed in 9.6.0-alpha.4 and 8.6.30.
Title Parse Server has Stored XSS via file upload of HTML-renderable file types
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Parse Community Parse Server
Parseplatform Parse-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:10:51.157Z

Reserved: 2026-03-09T19:02:25.013Z

Link: CVE-2026-31868

cve-icon Vulnrichment

Updated: 2026-03-12T20:10:48.867Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T18:16:25.850

Modified: 2026-03-13T18:25:43.163

Link: CVE-2026-31868

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:05Z

Weaknesses