File Upload Vulnerability in Parse Server by Parse Community
CVE-2026-32728

8.3HIGH

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
18 March 2026

What is CVE-2026-32728?

A file upload vulnerability exists in Parse Server prior to certain versions that allows attackers to bypass file extension filters by appending MIME parameters to the Content-Type header. This oversight permits the storage of potentially malicious content under the application’s domain, leading to stored XSS attacks. The vulnerability poses risks to session tokens and user credentials through the exploitation of certain XML-based file extensions. Mitigating factors have been introduced in subsequent releases that strip these MIME parameters and enhance the default blocklist of file extensions to prevent the execution of active content in browsers.

Affected Version(s)

parse-server >= 9.0.0, < 9.6.0-alpha.15 < 9.0.0, 9.6.0-alpha.15

parse-server < 8.6.41 < 8.6.41

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10191
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10192
x_refsource_MISC

CVSS V4

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.