Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type, allowing storage adapters such as S3 and GCS to serve attacker-supplied active content and enable stored cross-site scripting. This issue is fixed in versions 9.9.1-alpha.11 and 8.6.81.
Published: 2026-07-08
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Parse Server, an open‑source backend for Node.js applications, had a flaw where the default blocklist of disallowed file extensions could be bypassed by uploading a file with a non‑standard or compound extension that also carries a dangerous content type. This allows an attacker to store actively malicious scripts on storage adapters such as Amazon S3 or Google Cloud Storage. The stored scripts can then be served to web users, resulting in a classic stored cross‑site scripting (XSS) attack. The vulnerability arises from failing to validate file extensions against the configured blocklist, leading to improper file type handling (CWE‑434).

Affected Systems

The affected product is Parse Server from parse‑community. All releases prior to 9.9.1‑alpha.11 and 8.6.81 are vulnerable, regardless of the deployment environment, since the issue resides in the open‑source code executed on Node.js infrastructure.

Risk and Exploitability

The CVSS score of 2.1 indicates a low severity risk, reflecting that the vulnerability requires an attacker to already have a file upload vector to the Parse Server instance. No exploitation probability is reported, and the issue is not listed in the CISA KEV catalog, suggesting limited active exploitation. The likely attack vector is that an attacker with access to the file upload endpoint can supply a compound extension to bypass the blocklist and embed JavaScript, leading to stored XSS against downstream consumers of the file stream.

Generated by OpenCVE AI on July 9, 2026 at 04:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parse Server to version 9.9.1‑alpha.11, 8.6.81 or later where the blocklist enforcement is corrected.
  • Verify that the fileUpload.fileExtensions blocklist is enabled and that only safe content types are accepted for uploads.
  • Restrict public file upload capability to authenticated users or enforce stricter allowed extensions before accepting files.

Generated by OpenCVE AI on July 9, 2026 at 04:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v8x7-r927-cc93 parse-server: Stored XSS via non-standard file extension bypassing file upload extension blocklist
History

Wed, 08 Jul 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Parse Community
Parse Community parse Server
Vendors & Products Parse Community
Parse Community parse Server

Wed, 08 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Description Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type, allowing storage adapters such as S3 and GCS to serve attacker-supplied active content and enable stored cross-site scripting. This issue is fixed in versions 9.9.1-alpha.11 and 8.6.81.
Title Parse Server: Stored XSS via non-standard file extension bypassing file upload extension blocklist
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Parse Community Parse Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-08T20:50:52.531Z

Reserved: 2026-06-17T14:40:28.379Z

Link: CVE-2026-55778

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T04:00:11Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type