Unknown · Parse Server · CVE-2026-61448
**Name of the Vulnerable Software and Affected Versions**
Parse Server versions 9.0.0 through 9.10.0-alpha.1
Parse Server versions 8.x through 8.6.83
**Description**
A stored cross-site scripting (XSS) issue exists when the software fails to recognize an uploaded file's extension via the mime package, leading it to preserve the client-supplied Content-Type. A malformed Content-Type that does not follow a valid type/subtype media type format (for example, 'image', 'image/', or 'image//svg+xml') can bypass the `fileUpload.fileExtensions` blocklist and be stored without modification. When using storage adapters that persist and serve the uploaded Content-Type, such as Amazon S3, Google Cloud Storage, or Azure Blob Storage, browsers may fail to parse the malformed value and perform MIME-sniffing. This allows a file starting with HTML to be rendered as HTML, executing embedded scripts in the application's origin against users who access the file URL. The default GridFS storage adapter is not affected.
**Recommendations**
Update to version 9.10.0-alpha.2 or later.
Update to version 8.6.84 or later.