CVE-2026-31868

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0-alpha.4 Parse Server versions prior to 8.6.30

Description Parse Server allows an attacker to upload files with extensions or content types not blocked by the default configuration of the fileUpload.fileExtensions option. These files, potentially containing malicious code like JavaScript within SVG or XHTML files, can be executed when accessed through a URL, leading to a stored Cross-Site Scripting (XSS) issue. This can enable an attacker to steal session tokens, redirect users, or perform actions on behalf of other users. Affected file extensions and content types include .svgz, .xht, .xml, .xsl, .xslt, and content types application/xhtml+xml and application/xslt+xml for extensionless uploads. The vulnerability involves the fileUpload.fileExtensions option.

Recommendations For versions prior to 9.6.0-alpha.4, update to version 9.6.0-alpha.4 or later. For versions prior to 8.6.30, update to version 8.6.30 or later. Configure the fileUpload.fileExtensions server option to block the affected file extensions and content types.