CVE-2026-55778

Name of the Vulnerable Software and Affected Versions Parse Server (affected versions not specified)

Description The default fileUpload.fileExtensions blocklist can be bypassed by uploading files with non-standard or compound extensions combined with a dangerous content type. This allows the upload of files that browsers render as active content, such as HTML and SVG, leading to stored cross-site scripting (XSS), where an attacker injects malicious scripts into a web page viewed by other users. This issue is particularly impactful on storage adapters like S3 and GCS that persist and serve the attacker-supplied content type. While the GridFS/filesystem adapter uses the X-Content-Type-Options: nosniff header to mitigate browser rendering, the upload restriction is still bypassed.

Recommendations Configure fileUpload.fileExtensions as a strict allowlist containing only the necessary file extensions (e.g., ["^(png|jpe?g|gif|pdf)$"]) instead of using the default blocklist. Serve uploaded files from a separate domain than the application to isolate executed content from the application origin.