Arbitrary file upload in Parse-community Parse-server

CVE-2026-61448

Parse Server is affected by a stored cross-site scripting (XSS) vulnerability in versions >= 9.0.0, < 9.10.0-alpha.2 and <= 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-…

Vulnerability class: Unrestricted File Upload

Affected products

Weakness classification (CWE)

References