CVE-2026-61448
Received Received - Intake

Stored XSS in Parse Server File Upload

Vulnerability report for CVE-2026-61448, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: VulnCheck

Description

Parse Server is affected by a stored cross-site scripting (XSS) vulnerability in versions >= 9.0.0, < 9.10.0-alpha.2 and <= 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a valid type/subtype media type (e.g., 'image', 'image/', or 'image//svg+xml') bypasses the fileUpload.fileExtensions blocklist and is stored unchanged. On storage adapters that persist and serve the uploaded Content-Type (such as Amazon S3, Google Cloud Storage, or Azure Blob Storage), a browser cannot parse the malformed value and falls back to MIME-sniffing; a file whose body begins with HTML is rendered as HTML, executing embedded script in the application's origin against other users who open the file URL. The default GridFS storage adapter is not affected. Fixed in 9.10.0-alpha.2 and 8.6.84.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
parse_server parse_server From 9.0.0 (inc) to 9.10.0-alpha.2|end_including=8.6.83 (exc)
parse_server parse_server 9.10.0-alpha.2
parse_server parse_server 8.6.84
parse server From 9.0.0 (inc) to 9.10.0-alpha.2 (exc)
parse server to 8.6.83 (inc)
parse server 9.10.0-alpha.2
parse server 8.6.84

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-61448 is a stored cross-site scripting (XSS) vulnerability in Parse Server that occurs when the server improperly handles malformed Content-Type headers during file uploads.

If a file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type without proper validation. Malformed Content-Types like "image", "image/", or "image//svg+xml" bypass the file extension blocklist and are stored unchanged.

When such files are served via storage adapters that persist and serve the uploaded Content-Type (e.g., Amazon S3, Google Cloud Storage, or Azure Blob Storage), browsers cannot parse the malformed Content-Type and fall back to MIME-sniffing. If the file content begins with HTML, the browser renders it as HTML and executes any embedded scripts in the context of the application’s origin.

This allows attackers to execute malicious scripts against other users who open the file URL, leading to a stored XSS attack.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of your application when users access uploaded files with malformed Content-Types.

Such script execution can compromise the integrity of your application and potentially affect confidentiality and integrity of subsequent systems interacting with the application.

The exploit requires network access but has low attack complexity and low privileges, meaning it can be exploited relatively easily if the conditions are met.

Detection Guidance

This vulnerability can be detected by monitoring file uploads to Parse Server for malformed Content-Type headers that do not conform to valid type/subtype media types, such as "image", "image/", or "image//svg+xml".

You can inspect HTTP requests to the file upload endpoints and look for Content-Type headers that are malformed or suspicious.

Example commands to detect such headers in logs or live traffic include:

  • Using grep on server logs to find malformed Content-Type headers: grep -iE 'Content-Type: *(image|image/|image//svg\+xml)' /path/to/logfile
  • Using tcpdump or tshark to capture HTTP traffic and filter for suspicious Content-Type headers: tshark -Y 'http.content_type matches "^image(/|//svg\+xml)?$"' -T fields -e http.content_type
  • Using curl or similar tools to test file uploads with malformed Content-Type headers and observe server responses.
Mitigation Strategies

Immediate mitigation steps include applying the official patches that validate Content-Type formats and reject malformed types, available in Parse Server versions 9.10.0-alpha.2 and 8.6.84.

If patching is not immediately possible, consider the following workarounds:

  • Use strict allowlists for file extensions to prevent unrecognized file types from being uploaded.
  • Serve uploaded files from a separate domain to isolate potential XSS impact.
  • Configure storage adapters or storage layers (e.g., Amazon S3, Google Cloud Storage) to send the HTTP header "X-Content-Type-Options: nosniff" to prevent browsers from MIME-sniffing and executing malicious content.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61448. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart