CVE-2026-30948

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.2-alpha.4 Parse Server versions prior to 8.6.17

Description Parse Server, an open source backend deployable on Node.js infrastructures, contains a stored cross-site scripting (XSS) issue. Authenticated users can upload SVG files containing JavaScript. These files are served inline with a Content-Type of image/svg+xml and lack protective headers, leading to the execution of embedded scripts within the Parse Server origin. This can potentially allow attackers to steal session tokens from localStorage and take over accounts. The default fileExtensions option does not block SVG files, which are a known XSS vector. All Parse Server deployments with file upload enabled for authenticated users are affected.

Recommendations Update to Parse Server version 9.5.2-alpha.4 or later. Update to Parse Server version 8.6.17 or later.