CVE-2026-53724

LOW

Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist

Title source: cna

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked (e.g. poc.svg.). The trailing dot causes the extension parser to extract an empty string, which short-circuits the blocklist check, and the attacker-controlled Content-Type is forwarded to the storage adapter unchanged. Storage adapters that persist and serve the provided Content-Type (such as S3 or GCS) then serve the file with an active type such as image/svg+xml, enabling stored XSS when a victim opens the file URL. The default GridFS adapter is not affected because it sets X-Content-Type-Options: nosniff on responses. This issue has been patched in versions 8.6.79 and 9.9.1-alpha.4.

References (3)

Core 3

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/parse-community/parse-server/security/advisories/GHSA-7wqv-xjf3-x35v

X_Refsource_Misc x_refsource_misc

https://github.com/parse-community/parse-server/pull/10489

X_Refsource_Misc x_refsource_misc

https://github.com/parse-community/parse-server/pull/10490

Scores

CVSS v4 2.1

EPSS 0.0028

EPSS Percentile 19.6%

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-434 CWE-79

Status published

Products (2)

parse-community/parse-server < 8.6.79

parse-community/parse-server >= 9.0.0, < 9.9.1-alpha.4

Published Jun 12, 2026

Tracked Since Jun 13, 2026