PT-2026-57441 · Unknown · Parse Server

Cyberkareem

+1

·

Published

2026-07-11

·

Updated

2026-07-11

·

CVE-2026-61448

CVSS v4.0

2.1

Low

VectorAV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
Name of the Vulnerable Software and Affected Versions Parse Server versions 9.0.0 through 9.10.0-alpha.1 Parse Server versions 8.x and earlier through 8.6.83
Description A stored cross-site scripting (XSS) issue exists when the mime package does not recognize an uploaded file's extension, causing Parse Server to preserve the client-supplied Content-Type. A malformed Content-Type that is not a valid type/subtype media type can bypass the fileUpload.fileExtensions blocklist and be stored unchanged. On storage adapters that persist and serve the uploaded Content-Type, such as Amazon S3, Google Cloud Storage, or Azure Blob Storage, browsers may perform MIME-sniffing—a process where the browser attempts to determine the file type by inspecting its content—and render files starting with HTML as HTML. This allows the execution of embedded scripts in the application's origin against users who open the file URL.
Recommendations Update to version 9.10.0-alpha.2 or later. Update to version 8.6.84 or later.

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-61448

Affected Products

Parse Server