File Upload Vulnerability in Parse Server Affects Node.js Deployments
CVE-2026-53724
2.1LOW
What is CVE-2026-53724?
An issue in Parse Server allows attackers to bypass the default blocklist for file upload extensions by appending a trailing dot to the filename. This malicious input leads to the extraction of an empty string during extension parsing, effectively short-circuiting the blocklist check. Consequently, if an attacker sends a file with an attacker-controlled Content-Type, it can be stored and served by vulnerable storage adapters unchanged. This could cause stored Cross-Site Scripting (XSS) when victims navigate to the file's URL. Versions 8.6.79 and 9.9.1-alpha.4 of Parse Server include essential patches to mitigate this risk.
Affected Version(s)
parse-server < 8.6.79 < 8.6.79
parse-server >= 9.0.0, < 9.9.1-alpha.4 < 9.0.0, 9.9.1-alpha.4
