Stored XSS Vulnerability in Parse Server Affects Multiple Versions
CVE-2026-61448

2.1LOW

Key Information:

Vendor
CVE Published:
11 July 2026

What is CVE-2026-61448?

A stored cross-site scripting vulnerability exists in certain versions of Parse Server, allowing attackers to exploit malformed Content-Type entries. The issue arises when the mime package fails to recognize an uploaded file's extension, which results in the unaltered storage of user-supplied Content-Type values. Malicious actors can leverage this flaw by uploading files with HTML content that, when accessed, can execute script code within the context of the application's origin, thereby affecting users who visit the file's URL. The default GridFS storage adapter is not impacted by this vulnerability. Users are advised to update to versions 9.10.0-alpha.2 or 8.6.84 to mitigate the risk.

Affected Version(s)

parse-server 9.0.0 < 9.10.0-alpha.2

parse-server 0 < 8.6.84

parse-server 9.10.0-alpha.2

References

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

CyberKareem
mtrezza
.