Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked (e.g. poc.svg.). The trailing dot causes the extension parser to extract an empty string, which short-circuits the blocklist check, and the attacker-controlled Content-Type is forwarded to the storage adapter unchanged. Storage adapters that persist and serve the provided Content-Type (such as S3 or GCS) then serve the file with an active type such as image/svg+xml, enabling stored XSS when a victim opens the file URL. The default GridFS adapter is not affected because it sets X-Content-Type-Options: nosniff on responses. This issue has been patched in versions 8.6.79 and 9.9.1-alpha.4.
Published: 2026-06-12
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Parse Server allowed attackers to inject malicious files that could be served with an active Content‑Type such as image/svg+xml. By appending a trailing dot to a filename, the extension parser extracted an empty string, bypassing the default blocklist. The storage adapter forwarded the attacker‑controlled Content‑Type to the response headers, allowing tricked users to open the file URL and trigger client‑side execution of malicious scripts (stored cross‑site scripting). The weakness is a combination of improper input validation and inadequate file type checking, corresponding to CWE‑434 and CWE‑79.

Affected Systems

The impact covers deployments of parse-community:parse‑server released before version 8.6.79 and before 9.9.1‑alpha.4. These older releases lack the file‑extension blocklist fix and can be reached on any infrastructure running Node.js that hosts Parse Server.

Risk and Exploitability

The CVSS score of 2.1 indicates low severity, and the EPSS score of less than 1% suggests a very small chance of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to upload a file through the public API or an authenticated file upload endpoint, manipulate the filename to include a trailing dot, and then persuade a victim to open or embed the published file URL.

Generated by OpenCVE AI on June 12, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to v8.6.79 or a newer release; v9.9.1‑alpha.4 also includes the fix.
  • Immediately audit and delete any files uploaded before the patch that could contain disallowed extensions or malicious content.
  • Configure storage adapters to set the X‑Content‑Type‑Options header to nosniff, or enforce this header in a reverse‑proxy to prevent browsers from interpreting the content type derived from user input.

Generated by OpenCVE AI on June 12, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked (e.g. poc.svg.). The trailing dot causes the extension parser to extract an empty string, which short-circuits the blocklist check, and the attacker-controlled Content-Type is forwarded to the storage adapter unchanged. Storage adapters that persist and serve the provided Content-Type (such as S3 or GCS) then serve the file with an active type such as image/svg+xml, enabling stored XSS when a victim opens the file URL. The default GridFS adapter is not affected because it sets X-Content-Type-Options: nosniff on responses. This issue has been patched in versions 8.6.79 and 9.9.1-alpha.4.
Title Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
Weaknesses CWE-434
CWE-79
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Parse Community Parse Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T20:01:13.569Z

Reserved: 2026-06-10T16:43:31.242Z

Link: CVE-2026-53724

cve-icon Vulnrichment

Updated: 2026-06-12T20:01:09.023Z

cve-icon NVD

Status : Received

Published: 2026-06-12T19:16:30.220

Modified: 2026-06-12T19:16:30.220

Link: CVE-2026-53724

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T19:45:27Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')