CVE-2025-68115

MEDIUM

Parse Server < 8.6.1 - Reflected Cross-Site Scripting in Password Reset and Email Verification Pages

Title source: llm

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user controlled values that are inserted into the HTML pages. No known workarounds are available.

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/parse-community/parse-server/security/advisories/GHSA-jhgf-2h8h-ggxv

Issue Tracking, Patch x_refsource_misc

https://github.com/parse-community/parse-server/pull/9985

Issue Tracking, Patch x_refsource_misc

https://github.com/parse-community/parse-server/pull/9986

Scores

CVSS v3 6.1

EPSS 0.0003

EPSS Percentile 7.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (4)

npm/parse-server 0 - 8.6.1npm

parseplatform/parse-server 9.0.0 (12 CPE variants)

parseplatform/parse-server 9.1.0 alpha1 (2 CPE variants)

parseplatform/parse-server < 8.6.1

Published Dec 16, 2025

Tracked Since Feb 18, 2026