CVE-2026-32728

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.6.0-alpha.15 Parse Server versions prior to 8.6.41 Parse Server versions prior to 9.6.0 Parse Server versions prior to 8.6.41

Description Parse Server, an open-source backend deployable on Node.js infrastructures, is affected by a file upload issue. An attacker with file upload privileges can bypass the file extension filter by appending a MIME parameter (e.g., ;charset=utf-8) to the Content-Type header. This bypass allows the storage and serving of active content under the application's domain. Additionally, certain XML-based file extensions capable of rendering scripts in web browsers were not included in the default blocklist, potentially leading to stored cross-site scripting (XSS) attacks. Successful exploitation could compromise session tokens, user credentials, and other sensitive data accessible through the browser's local storage. The issue stems from improper validation of file extensions when a MIME parameter is present in the Content-Type header. The vulnerable component is the file upload functionality, specifically the extension validation process.

Recommendations Versions prior to 9.6.0-alpha.15 should be updated. Versions prior to 8.6.41 should be updated. Versions prior to 9.6.0 should be updated. Versions prior to 8.6.41 should be updated. Configure the fileUpload.fileExtensions option to use an allowlist of only the file extensions that your application needs, rather than relying on the default blocklist.