CVE-2026-31868 Overview
Parse Server, an open source backend that can be deployed to any infrastructure running Node.js, contains a stored Cross-Site Scripting (XSS) vulnerability in versions prior to 9.6.0-alpha.4 and 8.6.30. The vulnerability exists due to insufficient file extension and content type validation in the default configuration of the fileUpload.fileExtensions option, allowing attackers to upload files containing malicious code that executes when accessed via the file's URL.
Critical Impact
Attackers can exploit this stored XSS vulnerability to steal session tokens, redirect users to malicious sites, or perform unauthorized actions on behalf of other users by uploading malicious files with bypassed extensions.
Affected Products
- Parse Server versions prior to 9.6.0-alpha.4
- Parse Server versions prior to 8.6.30
- Applications using Parse Server with default file upload configurations
Discovery Timeline
- 2026-03-11 - CVE CVE-2026-31868 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-31868
Vulnerability Analysis
This vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting). The flaw allows attackers to bypass the default file upload restrictions by using file extensions and content types that were not included in the blocklist. While Parse Server's default configuration blocks common dangerous extensions such as .html, .htm, .shtml, .xhtml, and .svg, several other extensions capable of executing scripts in the browser context were not blocked.
The affected file extensions include .svgz (compressed SVG), .xht, .xml, .xsl, and .xslt. Additionally, content types application/xhtml+xml and application/xslt+xml were permitted for extensionless uploads, allowing malicious content to be served with executable MIME types.
Root Cause
The root cause of this vulnerability lies in an incomplete blocklist implementation within Parse Server's file upload validation logic. The fileUpload.fileExtensions configuration option did not account for all file types capable of containing and executing malicious scripts when rendered by web browsers. Specifically, XML-based formats that support embedded JavaScript or can trigger script execution were inadvertently permitted.
When a browser receives files with these extensions or content types from the Parse Server domain, it interprets and executes any embedded scripts within the same origin context, enabling stored XSS attacks.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker exploits this vulnerability by:
- Uploading a malicious file with one of the bypassed extensions (e.g., .svgz, .xht, .xml, .xsl, .xslt) or using an extensionless file with application/xhtml+xml or application/xslt+xml content type
- Embedding JavaScript code within the file (for example, within an SVG or XHTML document)
- Distributing the URL of the uploaded file to potential victims
- When victims access the URL, their browser renders the file within the Parse Server domain context
- The malicious JavaScript executes with access to cookies, session tokens, and the ability to perform authenticated actions
The vulnerability exploits the trust relationship browsers have with content served from the same origin, making session hijacking and credential theft possible.
Detection Methods for CVE-2026-31868
Indicators of Compromise
- Unusual file uploads with extensions .svgz, .xht, .xml, .xsl, or .xslt containing script tags or JavaScript event handlers
- Files uploaded without extensions but with content types application/xhtml+xml or application/xslt+xml
- Access logs showing repeated requests to uploaded XML-based files from multiple user sessions
- User reports of unexpected behavior or redirects when accessing uploaded content
Detection Strategies
- Implement content inspection for uploaded files to detect embedded JavaScript, <script> tags, or event handler attributes
- Monitor file upload API endpoints for suspicious file types that match the affected extensions
- Deploy Web Application Firewall (WAF) rules to inspect uploaded file content for XSS patterns
- Audit existing uploaded files in Parse Server storage for potentially malicious XML-based content
Monitoring Recommendations
- Enable verbose logging for file upload operations including file names, extensions, and content types
- Configure alerting for uploads matching the vulnerable file extension patterns
- Monitor for anomalous user session activity that could indicate session token theft
- Review access patterns to uploaded files for potential XSS exploitation indicators
How to Mitigate CVE-2026-31868
Immediate Actions Required
- Upgrade Parse Server to version 9.6.0-alpha.4 or 8.6.30 immediately
- Review and remove any existing files with the affected extensions (.svgz, .xht, .xml, .xsl, .xslt) that may contain malicious content
- Configure custom fileUpload.fileExtensions blocklist to include the vulnerable extensions until patches can be applied
- Implement Content Security Policy (CSP) headers to mitigate script execution from uploaded content
Patch Information
Parse Server has released patched versions that address this vulnerability. Organizations should upgrade to one of the following versions:
- Version 8.6.30 - Stable release with the security fix. See Parse Server Release 8.6.30 for release notes.
- Version 9.6.0-alpha.4 - Alpha release with the security fix. See Parse Server Release 9.6.0-alpha.4 for release notes.
For complete technical details regarding this vulnerability, refer to the GitHub Security Advisory GHSA-v5hf-f4c3-m5rv.
Workarounds
- Update the fileUpload.fileExtensions configuration to explicitly block .svgz, .xht, .xml, .xsl, and .xslt extensions
- Configure your web server or CDN to serve uploaded files with Content-Disposition: attachment header to prevent browser rendering
- Implement a Content Security Policy that restricts script execution from user-uploaded content
- Serve uploaded files from a separate domain or subdomain to isolate the security context from the main application
# Example Parse Server configuration to block vulnerable extensions
# Add to your Parse Server configuration file
# Option 1: Block specific vulnerable extensions (append to existing blocklist)
# fileUpload.fileExtensions: ['html', 'htm', 'shtml', 'xhtml', 'svg', 'svgz', 'xht', 'xml', 'xsl', 'xslt']
# Option 2: Configure web server to force download for uploaded files (nginx example)
# location /files/ {
# add_header Content-Disposition "attachment";
# add_header X-Content-Type-Options "nosniff";
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
