File Upload Bypass Vulnerability in Parse Server by Parse Community
CVE-2026-55778

2.1LOW

Key Information:

Vendor
CVE Published:
8 July 2026

What is CVE-2026-55778?

Parse Server, a popular open-source backend framework, has a vulnerability that allows attackers to bypass the default file extension blocklist. This issue can be exploited by uploading files with non-standard or compound extensions that may have a dangerous content type. Consequently, storage adapters like S3 and GCS can serve malicious content, leading to the possibility of stored cross-site scripting (XSS) attacks. This vulnerability affects all versions prior to 9.9.1-alpha.11 and 8.6.81, with fixes included in these releases.

Affected Version(s)

parse-server >= 9.0.0-alpha.1, < 9.9.1-alpha.11 < 9.0.0-alpha.1, 9.9.1-alpha.11

parse-server < 8.6.81 < 8.6.81

References

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.