CVE-2026-30948
Received Received - Intake
Stored XSS in Parse Server SVG Upload Enables Account Takeover

Publication date: 2026-03-10

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.4 and 8.6.17, a stored cross-site scripting (XSS) vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with Content-Type: image/svg+xml and without protective headers, causing the browser to execute embedded scripts in the Parse Server origin. This can be exploited to steal session tokens from localStorage and achieve account takeover. The default fileExtensions option blocks HTML file extensions but does not block SVG, which is a well-known XSS vector. All Parse Server deployments where file upload is enabled for authenticated users (the default) are affected. This vulnerability is fixed in 9.5.2-alpha.4 and 8.6.17.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30948
EUVD
EUVD-2026-10866
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server 9.5.2
parseplatform parse-server From 9.0.0 (inc) to 9.5.2 (exc)
parseplatform parse-server to 8.6.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in Parse Server versions prior to 9.5.2-alpha.4 and 8.6.17. It allows any authenticated user to upload an SVG file that contains embedded JavaScript. Because the server serves the SVG file inline with the Content-Type set to image/svg+xml and without protective headers, the browser executes the embedded scripts within the context of the Parse Server origin.

The default configuration blocks HTML file extensions but does not block SVG files, which are a known vector for XSS attacks. This means that attackers can exploit this to run malicious scripts in other users' browsers.

Impact Analysis

The vulnerability can be exploited to steal session tokens stored in localStorage, which can lead to account takeover. This means an attacker could impersonate other users by hijacking their sessions.

Since the malicious script runs in the context of the Parse Server origin, it can perform actions on behalf of the victim user, potentially leading to unauthorized access to sensitive data or functionality.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade your Parse Server deployment to version 9.5.2-alpha.4 or later, or 8.6.17 or later, where the issue is fixed.

Additionally, consider disabling or restricting file uploads for authenticated users if not necessary, or implement additional filtering to block SVG file uploads, as SVG files are a known XSS vector.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30948. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart