CVE-2026-55778
Received Received - Intake

Stored XSS in Parse Server via File Upload Extension Bypass

Vulnerability report for CVE-2026-55778, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type, allowing storage adapters such as S3 and GCS to serve attacker-supplied active content and enable stored cross-site scripting. This issue is fixed in versions 9.9.1-alpha.11 and 8.6.81.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
parse_server parse_server to 8.6.81 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Parse Server versions prior to 9.9.1-alpha.11 and 8.6.81. It allows an attacker to bypass the default fileUpload.fileExtensions blocklist by uploading files with non-standard or compound extensions combined with dangerous content types. As a result, storage adapters like S3 and GCS may serve attacker-supplied active content, enabling stored cross-site scripting (XSS) attacks.

Impact Analysis

The vulnerability can lead to stored cross-site scripting attacks, where malicious scripts supplied by an attacker are stored and later executed in the context of users accessing the content. This can compromise user data, session tokens, or lead to other malicious actions performed on behalf of the user.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Parse Server to version 9.9.1-alpha.11 or later, or version 8.6.81 or later.

This update fixes the issue where the default fileUpload.fileExtensions blocklist could be bypassed by uploading files with non-standard or compound extensions and dangerous content types.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55778. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart