CVE-2026-53724
published 2026-06-12CVE-2026-53724: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default…
PriorityP418low2.1CVSS 4.0
AVNACLATPPRLUIPVCNVILVANSCLSILSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.28%
19.8th percentile
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked (e.g. poc.svg.). The trailing dot causes the extension parser to extract an empty string, which short-circuits the blocklist check, and the attacker-controlled Content-Type is forwarded to the storage adapter unchanged. Storage adapters that persist and serve the provided Content-Type (such as S3 or GCS) then serve the file with an active type such as image/svg+xml, enabling stored XSS when a victim opens the file URL. The default GridFS adapter is not affected because it sets X-Content-Type-Options: nosniff on responses. This issue has been patched in versions 8.6.79 and 9.9.1-alpha.4.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| parse-community | parse-server | < 8.6.79 | 8.6.79 |
| parse-community | parse-server | — | — |
| parse-community | parse-server | >= 0 < 8.6.79 | 8.6.79 |
| parse-community | parse-server | >= 9.0.0 < 9.9.1-alpha.4 | 9.9.1-alpha.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
ghsa·2026-06-19
CVE-2026-53724 [LOW] CWE-434 parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
### Impact
The default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked (e.g. `poc.svg.`). The trailing dot causes the extension parser to extract an empty string, which short-circuits the blocklist check, and the attacker-controlled Content-Type is forwarded to the storage adapter unchanged. Storage adapters that persist and serve the provided Content-Type (such as S3 or GCS) then serve the file with an active type such as `image/svg+xml`, enabling stored XSS when a victim opens the file URL. The default GridFS adapter is not affected because it sets `X-Content-Type-Options: nosniff` on responses.
### Patches
A
VulDB
parse-community parse-server up to 8.6.78/9.9.1-alpha.3 Default File Upload Extension unrestricted upload (GHSA-7wqv-xjf3-x35v / EUVD-2026-36539)
vuldb·2026-06-12·CVSS 2.1
CVE-2026-53724 [LOW] parse-community parse-server up to 8.6.78/9.9.1-alpha.3 Default File Upload Extension unrestricted upload (GHSA-7wqv-xjf3-x35v / EUVD-2026-36539)
A vulnerability was found in parse-community parse-server up to 8.6.78/9.9.1-alpha.3. It has been declared as critical. Affected by this issue is some unknown functionality of the component Default File Upload Extension. Such manipulation leads to unrestricted upload.
This vulnerability is uniquely identified as CVE-2026-53724. The attack can be launched remotely. No exploit exists.
It is recommended to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-12
Published