PT-2026-57441 · Unknown · Parse Server
Cyberkareem
+1
·
Published
2026-07-11
·
Updated
2026-07-11
·
CVE-2026-61448
CVSS v4.0
2.1
Low
| Vector | AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
Parse Server versions 9.0.0 through 9.10.0-alpha.1
Parse Server versions 8.x and earlier through 8.6.83
Description
A stored cross-site scripting (XSS) issue exists when the
mime package does not recognize an uploaded file's extension, causing Parse Server to preserve the client-supplied Content-Type. A malformed Content-Type that is not a valid type/subtype media type can bypass the fileUpload.fileExtensions blocklist and be stored unchanged. On storage adapters that persist and serve the uploaded Content-Type, such as Amazon S3, Google Cloud Storage, or Azure Blob Storage, browsers may perform MIME-sniffing—a process where the browser attempts to determine the file type by inspecting its content—and render files starting with HTML as HTML. This allows the execution of embedded scripts in the application's origin against users who open the file URL.Recommendations
Update to version 9.10.0-alpha.2 or later.
Update to version 8.6.84 or later.
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Parse Server