CVE-2026-30948 Overview
CVE-2026-30948 is a stored Cross-Site Scripting (XSS) vulnerability in Parse Server, an open source backend that can be deployed to any infrastructure that can run Node.js. This vulnerability allows any authenticated user to upload an SVG file containing JavaScript code. When served, the file is delivered inline with Content-Type: image/svg+xml and without protective headers, causing the browser to execute embedded scripts within the Parse Server origin context. This can be exploited to steal session tokens from localStorage and achieve complete account takeover.
Critical Impact
Authenticated attackers can steal session tokens and achieve account takeover through malicious SVG file uploads.
Affected Products
- Parse Server versions prior to 8.6.17 (stable branch)
- Parse Server versions 9.5.2-alpha1, 9.5.2-alpha2, and 9.5.2-alpha3
- All Parse Server deployments where file upload is enabled for authenticated users (the default configuration)
Discovery Timeline
- 2026-03-10 - CVE-2026-30948 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30948
Vulnerability Analysis
This stored XSS vulnerability exists because Parse Server's file upload functionality fails to properly sanitize or block SVG files, which are a well-known XSS vector. While the default fileExtensions option blocks HTML file extensions to prevent obvious script injection attacks, it does not block SVG files. SVG (Scalable Vector Graphics) files are XML-based and can contain embedded JavaScript within <script> tags or event handlers like onload.
When an authenticated user uploads a malicious SVG file, Parse Server stores and serves the file with the Content-Type: image/svg+xml header. Critically, the server does not include protective headers such as Content-Disposition: attachment or Content-Security-Policy that would prevent script execution. As a result, when a victim visits the URL of the uploaded SVG file, their browser interprets and executes any embedded JavaScript within the context of the Parse Server origin.
The attack requires low privileges (any authenticated user can upload files by default) and passive user interaction (the victim must visit the malicious SVG URL). However, the impact is significant as attackers can access the same-origin localStorage where Parse Server stores session tokens, enabling complete account takeover.
Root Cause
The root cause is insufficient input validation in Parse Server's file upload functionality. The default fileExtensions configuration blocks common script-bearing file types like .html, .htm, and similar extensions, but fails to include .svg files in this blocklist. This oversight, combined with the server serving uploaded files inline with the SVG MIME type and without security headers, creates an exploitable XSS condition.
Attack Vector
The attack vector is network-based and requires an authenticated attacker to upload a crafted SVG file containing malicious JavaScript. The attacker then tricks a victim into visiting the URL where the SVG is served. When the victim's browser loads the SVG, the embedded JavaScript executes in the Parse Server's origin context.
The malicious SVG could contain JavaScript that reads session tokens from localStorage, exfiltrates them to an attacker-controlled server, or performs actions on behalf of the victim user. Since SVG files are often considered safe image formats, users may be less suspicious of clicking links to SVG resources compared to obvious script files.
Detection Methods for CVE-2026-30948
Indicators of Compromise
- SVG files uploaded to Parse Server containing <script> tags or JavaScript event handlers (e.g., onload, onclick)
- Unusual file upload patterns from authenticated users, particularly SVG files with obfuscated or encoded content
- Network requests from Parse Server domain to unexpected external endpoints (potential token exfiltration)
- User sessions being hijacked or unauthorized account access following visits to uploaded file URLs
Detection Strategies
- Implement Content Security Policy (CSP) headers with strict script-src directives to detect and block inline script execution
- Monitor file upload logs for SVG files and scan uploaded content for embedded JavaScript patterns
- Deploy web application firewall (WAF) rules to detect and alert on SVG files containing script elements or event handlers
- Enable audit logging for session token access and monitor for suspicious token usage patterns
Monitoring Recommendations
- Configure alerts for file uploads with .svg extensions from non-administrative users
- Monitor for anomalous cross-origin requests originating from the Parse Server domain
- Implement real-time scanning of uploaded files for embedded active content
- Track session token usage patterns to identify potential account compromise
How to Mitigate CVE-2026-30948
Immediate Actions Required
- Upgrade Parse Server to version 8.6.17 (stable) or 9.5.2-alpha.4 (alpha) immediately
- Audit existing uploaded files for malicious SVG content containing JavaScript
- Temporarily disable file upload functionality for non-administrative users until patching is complete
- Implement additional CSP headers to restrict script execution from uploaded file locations
Patch Information
Parse Server has addressed this vulnerability in versions 8.6.17 and 9.5.2-alpha.4. The fix adds SVG to the blocked file extensions list and implements additional security measures for file serving.
For detailed patch information, refer to:
Workarounds
- Add svg to the fileExtensions blocklist in Parse Server configuration if immediate upgrade is not possible
- Configure the web server or CDN to serve uploaded files with Content-Disposition: attachment header to force downloads instead of inline rendering
- Implement strict Content Security Policy headers that prevent script execution from file storage paths
- Move uploaded files to a separate origin/subdomain that does not share the same authentication context as the main application
# Configuration example - Add SVG to blocked extensions in Parse Server config
# parse-server-config.json
{
"fileExtensions": [
"html",
"htm",
"svg"
]
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
