File Upload Bypass Vulnerability in Parse Server by Parse Community
CVE-2026-55778
2.1LOW
What is CVE-2026-55778?
Parse Server, a popular open-source backend framework, has a vulnerability that allows attackers to bypass the default file extension blocklist. This issue can be exploited by uploading files with non-standard or compound extensions that may have a dangerous content type. Consequently, storage adapters like S3 and GCS can serve malicious content, leading to the possibility of stored cross-site scripting (XSS) attacks. This vulnerability affects all versions prior to 9.9.1-alpha.11 and 8.6.81, with fixes included in these releases.
Affected Version(s)
parse-server >= 9.0.0-alpha.1, < 9.9.1-alpha.11 < 9.0.0-alpha.1, 9.9.1-alpha.11
parse-server < 8.6.81 < 8.6.81
