Stored XSS Vulnerability in Parse Server Affects Multiple Versions
CVE-2026-61448
What is CVE-2026-61448?
A stored cross-site scripting vulnerability exists in certain versions of Parse Server, allowing attackers to exploit malformed Content-Type entries. The issue arises when the mime package fails to recognize an uploaded file's extension, which results in the unaltered storage of user-supplied Content-Type values. Malicious actors can leverage this flaw by uploading files with HTML content that, when accessed, can execute script code within the context of the application's origin, thereby affecting users who visit the file's URL. The default GridFS storage adapter is not impacted by this vulnerability. Users are advised to update to versions 9.10.0-alpha.2 or 8.6.84 to mitigate the risk.
Affected Version(s)
parse-server 9.0.0 < 9.10.0-alpha.2
parse-server 0 < 8.6.84
parse-server 9.10.0-alpha.2
