CVE-2026-32728
Stored XSS via File Upload Bypass in Parse Server
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | From 9.0.0 (inc) to 9.6.0 (exc) |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | 9.6.0 |
| parseplatform | parse-server | to 8.6.41 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Parse Server versions prior to 9.6.0-alpha.15 and 8.6.41. An attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter (such as ';charset=utf-8') to the Content-Type header. This causes the extension validation to fail against the blocklist, allowing potentially dangerous active content to be stored and served under the application's domain.
Additionally, certain XML-based file extensions that can render scripts in web browsers were not included in the default blocklist, which can lead to stored cross-site scripting (XSS) attacks. These attacks can compromise session tokens, user credentials, or other sensitive data accessible via the browser's local storage.
The fix implemented in versions 9.6.0-alpha.15 and 8.6.41 strips MIME parameters from the Content-Type header before validating the file extension against the blocklist and extends the default blocklist to include additional XML-based extensions that can render active content in browsers.
Developers are advised to configure the fileUpload.fileExtensions option as an allowlist of valid file extensions for their specific application rather than relying on the default blocklist, which is not exhaustive.
How can this vulnerability impact me? :
This vulnerability can allow attackers to upload and serve active content, such as scripts, under the application's domain by bypassing file extension filters.
As a result, attackers can perform stored cross-site scripting (XSS) attacks, which may lead to the compromise of session tokens, user credentials, or other sensitive data accessible through the browser's local storage.
This can undermine the security of users interacting with the application, potentially leading to unauthorized access, data theft, or further exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Parse Server to version 9.6.0-alpha.15 or 8.6.41 or later, where the issue has been fixed.
The fix involves stripping MIME parameters from the Content-Type header before validating the file extension against the blocklist.
Additionally, configure the fileUpload.fileExtensions option to use an allowlist of only the file extensions that your application needs, rather than relying on the default blocklist.
Be aware that the default blocklist is not exhaustive and new dangerous extensions might emerge, so explicitly specifying allowed extensions is safer.