File Upload Vulnerability in Parse Server by Parse Community
CVE-2026-35200

2.1LOW

Key Information:

Vendor

Parse-community

Status
Parse-server
Vendor
CVE Published:
6 April 2026

What is CVE-2026-35200?

Parse Server, an open-source backend platform that runs on Node.js, contains a vulnerability that allows for the upload of files with extensions that bypass the allowed list. Specifically, prior to versions 8.6.73 and 9.7.1-alpha.4, files can be uploaded with mismatched Content-Type headers, enabling potential security risks when these files are served by storage adapters like S3 or GCS. This inconsistency in Content-Type validation could lead to exploitation, as files may be served with a Content-Type that does not match their extension. Users are advised to upgrade to the fixed versions to enhance the security of their deployment.

Affected Version(s)

parse-server >= 9.0.0, < 9.7.1-alpha.4 < 9.0.0, 9.7.1-alpha.4

parse-server < 8.6.73 < 8.6.73

References

https://github.com/parse-community/parse-server/security/...
x_refsource_CONFIRM
https://github.com/parse-community/parse-server/pull/10383
x_refsource_MISC
https://github.com/parse-community/parse-server/pull/10384
x_refsource_MISC

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.