XSS in Parse-community Parse-server
CVE-2026-32728
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.15 and 8.6.41, an attacker who is allowed to upload files can bypass the file extension filter by appending a MIME…
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.000 (2.9th percentile) — read the EPSS interpretation.
Affected products
- Parse-community Parse-server — versions >= 9.0.0, < 9.6.0-alpha.15, < 8.6.41
Weakness classification (CWE)
References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-42ph-pf9q-cr72 (x_refsource_CONFIRM)
- https://github.com/parse-community/parse-server/pull/10191 (x_refsource_MISC)
- https://github.com/parse-community/parse-server/pull/10192 (x_refsource_MISC)
- https://github.com/parse-community/parse-server/commit/4f53ab3cad5502a51a509d53f999e00ff7217b8d (x_refsource_MISC)
- https://github.com/parse-community/parse-server/commit/c7599c577a02b97eb5e76d4e20517b0283ae73c8 (x_refsource_MISC)