CVE-2026-53724
LowCVSS 2.1Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
Parse Server prior to versions 8.6.79 and 9.9.1-alpha.4 allowed bypassing the default file upload extension blocklist by appending a trailing dot to a filename. This enables attackers to upload files with dangerous MIME types, leading to potential XSS attacks.
Risk Assessment
Organizations may be exposed to XSS attacks, which can result in user data theft or session hijacking. If exploited, an attacker can upload a malicious file that will be opened by a victim.
Recommendation
It is recommended to update Parse Server to versions 8.6.79 or 9.9.1-alpha.4 to mitigate this vulnerability. Additionally, consider implementing extra security measures such as MIME type validation.
Original NVD description (English source)
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked (e.g. poc.svg.). The trailing dot causes the extension parser to extract an empty string, which short-circuits the blocklist check, and the attacker-controlled Content-Type is forwarded to the storage adapter unchanged. Storage adapters that persist and serve the provided Content-Type (such as S3 or GCS) then serve the file with an active type such as image/svg+xml, enabling stored XSS when a victim opens the file URL. The default GridFS adapter is not affected because it sets X-Content-Type-Options: nosniff on responses. This issue has been patched in versions 8.6.79 and 9.9.1-alpha.4.

