File Upload Vulnerability in Parse Server Affects Node.js Deployments
CVE-2026-53724

2.1LOW

Key Information:

Vendor
CVE Published:
12 June 2026

What is CVE-2026-53724?

An issue in Parse Server allows attackers to bypass the default blocklist for file upload extensions by appending a trailing dot to the filename. This malicious input leads to the extraction of an empty string during extension parsing, effectively short-circuiting the blocklist check. Consequently, if an attacker sends a file with an attacker-controlled Content-Type, it can be stored and served by vulnerable storage adapters unchanged. This could cause stored Cross-Site Scripting (XSS) when victims navigate to the file's URL. Versions 8.6.79 and 9.9.1-alpha.4 of Parse Server include essential patches to mitigate this risk.

Affected Version(s)

parse-server < 8.6.79 < 8.6.79

parse-server >= 9.0.0, < 9.9.1-alpha.4 < 9.0.0, 9.9.1-alpha.4

References

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.