Arbitrary file upload in Parse-community Parse-server
CVE-2026-61448
Parse Server is affected by a stored cross-site scripting (XSS) vulnerability in versions >= 9.0.0, < 9.10.0-alpha.2 and <= 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-…
Vulnerability class: Unrestricted File Upload
Affected products
- Parse-community Parse-server — versions 9.0.0, 9.10.0-alpha.2, 0
Weakness classification (CWE)
References
- disclosure@vulncheck.com (vendor-advisory)
- disclosure@vulncheck.com (third-party-advisory)