parse-community parse-server up to 8.6.78/9.9.1-alpha.3 Default File Upload Extension unrestricted upload

Summaryinfo

A vulnerability was found in parse-community parse-server up to 8.6.78/9.9.1-alpha.3. It has been rated as critical. This affects an unknown part of the component Default File Upload Extension. Performing a manipulation results in unrestricted upload. This vulnerability was named CVE-2026-53724. The attack may be initiated remotely. There is no available exploit. Upgrading the affected component is advised.

Detailsinfo

A vulnerability, which was classified as critical, was found in parse-community parse-server up to 8.6.78/9.9.1-alpha.3. This affects an unknown function of the component Default File Upload Extension. The manipulation with an unknown input leads to a unrestricted upload vulnerability. CWE is classifying the issue as CWE-434. The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked (e.g. poc.svg.). The trailing dot causes the extension parser to extract an empty string, which short-circuits the blocklist check, and the attacker-controlled Content-Type is forwarded to the storage adapter unchanged. Storage adapters that persist and serve the provided Content-Type (such as S3 or GCS) then serve the file with an active type such as image/svg+xml, enabling stored XSS when a victim opens the file URL. The default GridFS adapter is not affected because it sets X-Content-Type-Options: nosniff on responses. This issue has been patched in versions 8.6.79 and 9.9.1-alpha.4.

The advisory is shared at github.com. This vulnerability is uniquely identified as CVE-2026-53724 since 06/10/2026. The exploitability is told to be easy. It is possible to initiate the attack remotely. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1608.002 for this issue.

Upgrading to version 8.6.79 or 9.9.1-alpha.4 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-36539). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• parse-community

Name

• parse-server

Version

• 8.6.0
• 8.6.1
• 8.6.2
• 8.6.3
• 8.6.4
• 8.6.5
• 8.6.6
• 8.6.7
• 8.6.8
• 8.6.9
• 8.6.10
• 8.6.11
• 8.6.12
• 8.6.13
• 8.6.14
• 8.6.15
• 8.6.16
• 8.6.17
• 8.6.18
• 8.6.19
• 8.6.20
• 8.6.21
• 8.6.22
• 8.6.23
• 8.6.24
• 8.6.25
• 8.6.26
• 8.6.27
• 8.6.28
• 8.6.29
• 8.6.30
• 8.6.31
• 8.6.32
• 8.6.33
• 8.6.34
• 8.6.35
• 8.6.36
• 8.6.37
• 8.6.38
• 8.6.39
• 8.6.40
• 8.6.41
• 8.6.42
• 8.6.43
• 8.6.44
• 8.6.45
• 8.6.46
• 8.6.47
• 8.6.48
• 8.6.49
• 8.6.50
• 8.6.51
• 8.6.52
• 8.6.53
• 8.6.54
• 8.6.55
• 8.6.56
• 8.6.57
• 8.6.58
• 8.6.59
• 8.6.60
• 8.6.61
• 8.6.62
• 8.6.63
• 8.6.64
• 8.6.65
• 8.6.66
• 8.6.67
• 8.6.68
• 8.6.69
• 8.6.70
• 8.6.71
• 8.6.72
• 8.6.73
• 8.6.74
• 8.6.75
• 8.6.76
• 8.6.77
• 8.6.78
• 9.9.1-alpha.0
• 9.9.1-alpha.1
• 9.9.1-alpha.2
• 9.9.1-alpha.3

Website

• Product: https://github.com/parse-community/parse-server/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion