CVE-2026-32728: Parse Server XSS Vulnerability via Upload

CVE-2026-32728 Overview

A stored cross-site scripting (XSS) vulnerability exists in Parse Server, an open source backend that can be deployed to any infrastructure running Node.js. The vulnerability allows authenticated attackers with file upload permissions to bypass the file extension blocklist by appending a MIME parameter (e.g., ;charset=utf-8) to the Content-Type header during file uploads. This causes the extension validation to fail matching against the blocklist, enabling active content to be stored and served under the application's domain.

Additionally, the default blocklist was found to be missing several XML-based file extensions (xsd, rng, rdf, rdf+xml, owl, mathml, mathml+xml) that can render scripts in web browsers. Successful exploitation leads to stored XSS attacks that can compromise session tokens, user credentials, or other sensitive data accessible via the browser's local storage.

Critical Impact
Attackers can upload malicious files containing executable scripts that execute in victims' browsers under the trusted application domain, potentially leading to session hijacking, credential theft, and unauthorized actions on behalf of authenticated users.

Affected Products

Parse Server versions prior to 9.6.0-alpha.15
Parse Server versions prior to 8.6.41
Parse Server 9.6.0-alpha.1 through 9.6.0-alpha.14

Discovery Timeline

2026-03-18 - CVE-2026-32728 published to NVD
2026-03-19 - Last updated in NVD database

Technical Details for CVE-2026-32728

Vulnerability Analysis

The vulnerability exists in Parse Server's file upload extension validation mechanism. When a user uploads a file, Parse Server validates the file extension against a blocklist to prevent the upload of potentially dangerous files such as HTML, SVG, and XML that can execute active content in browsers. However, the validation logic does not properly handle MIME parameters appended to the Content-Type header.

When an attacker appends a MIME parameter like ;charset=utf-8 to the Content-Type header, the regex-based validation fails to match the modified content type against blocked extensions. This allows files with dangerous extensions to pass through the filter and be stored on the server. Once stored, these files are served under the application's domain, enabling same-origin script execution.

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting). The attack requires the attacker to have file upload permissions (low privileges) and requires user interaction (a victim must access the malicious file).

Root Cause

The root cause is twofold:

Improper Content-Type parsing: The extension validation did not strip MIME parameters from the Content-Type header before performing the blocklist check. This allowed attackers to append parameters like ;charset=utf-8 to bypass the regex pattern matching.
Incomplete default blocklist: The default blocklist was missing several XML-based extensions that modern browsers render as active content, including xsd, rng, rdf, rdf+xml, owl, mathml, and mathml+xml.

Attack Vector

The attack is network-based and requires authenticated access with file upload permissions. An attacker exploits this vulnerability by:

Crafting a malicious file (e.g., HTML with embedded JavaScript)
Uploading the file with a modified Content-Type header containing a MIME parameter (e.g., text/html;charset=utf-8)
The extension validation fails to match against the blocklist due to the appended parameter
The malicious file is stored and served under the application's domain
When a victim accesses the file URL, the malicious script executes in their browser context

The following patch shows how the fix addresses the vulnerability by extending the blocklist to include additional XML-based extensions:

javascript

   fileExtensions: {
     env: 'PARSE_SERVER_FILE_UPLOAD_FILE_EXTENSIONS',
-    help: "Sets the allowed file extensions for uploading files. The extension is defined as an array of file extensions, or a regex pattern.<br><br>It is recommended to restrict the file upload extensions as much as possible. HTML, SVG, and XML files are especially problematic as they may be used by an attacker who uploads a HTML form, SVG image, or XML document to look legitimate under your app's domain name, or to compromise the session token of another user via accessing the browser's local storage.<br><br>Defaults to `^(?!([xXsS]?[hH][tT][mM][lL]?(\\\\+[xX][mM][lL])?|[xX][hH][tT]|[sS][vV][gG]([zZ]|\\\\+[xX][mM][lL])?|[xX][mM][lL]|[xX][sS][lL][tT]?(\\\\+[xX][mM][lL])?)$)` which allows any file extension except those that are rendered as website or active content by a web browser.",
+    help: 'Sets the allowed file extensions for uploading files. The extension is defined as an array of file extensions, or a regex pattern.<br><br>It is recommended to only allow the file extensions that your app actually needs, rather than relying on blocking dangerous extensions. This allowlist approach is more secure because new dangerous file extensions may emerge that are not covered by the default blocklist.<br><br>The default blocks the most common file extensions that are known to be rendered as active content by web browsers, such as HTML, SVG, and XML files, which may be used by an attacker to compromise the session token of another user via accessing the browser\'s local storage. The blocked extensions are: `html`, `htm`, `shtml`, `xhtml`, `xhtml+xml`, `xht`, `svg`, `svgz`, `svg+xml`, `xml`, `xsl`, `xslt`, `xslt+xml`, `xsd`, `rng`, `rdf`, `rdf+xml`, `owl`, `mathml`, `mathml+xml`.<br><br>Defaults to `["^(?!([xXsS]?[hH][tT][mM][lL]?(\\\\+[xX][mM][lL])?|[xX][hH][tT]|[sS][vV][gG]([zZ]|\\\\+[xX][mM][lL])?|[xX][mM][lL]|[xX][sS][lL][tT]?(\\\\+[xX][mM][lL])?|[xX][sS][dD]|[rR][nN][gG]|[rR][dD][fF](\\\\+[xX][mM][lL])?|[oO][wW][lL]|[mM][aA][tT][hH][mM][lL](\\\\+[xX][mM][lL])?)$)"]`.',
     action: parsers.arrayParser,
     default: [
-      '^(?!([xXsS]?[hH][tT][mM][lL]?(\\+[xX][mM][lL])?|[xX][hH][tT]|[sS][vV][gG]([zZ]|\\+[xX][mM][lL])?|[xX][mM][lL]|[xX][sS][lL][tT]?(\\+[xX][mM][lL])?)$)',
+      '^(?!([xXsS]?[hH][tT][mM][lL]?(\\+[xX][mM][lL])?|[xX][hH][tT]|[sS][vV][gG]([zZ]|\\+[xX][mM][lL])?|[xX][mM][lL]|[xX][sS][lL][tT]?(\\+[xX][mM][lL])?|[xX][sS][dD]|[rR][nN][gG]|[rR][dD][fF](\\+[xX][mM][lL])?|[oO][wW][lL]|[mM][aA][tT][hH][mM][lL](\\+[xX][mM][lL])?)$)',
     ],
   },
 };

Source: GitHub Commit 4f53ab3

Detection Methods for CVE-2026-32728

Indicators of Compromise

File upload requests with Content-Type headers containing MIME parameters (e.g., ;charset=utf-8, ;boundary=) appended to dangerous content types like text/html or image/svg+xml
Presence of HTML, SVG, or XML-based files (especially xsd, rng, rdf, owl, mathml extensions) in the Parse Server file storage
Unusual file access patterns to uploaded content combined with subsequent suspicious client-side activity

Detection Strategies

Monitor file upload endpoints for Content-Type headers containing semicolons followed by MIME parameters when combined with web content extensions
Implement content inspection on uploaded files to detect embedded JavaScript, event handlers, or other active content regardless of declared extension
Review server logs for file uploads with suspicious content type variations targeting blocked extensions

Monitoring Recommendations

Enable detailed logging on Parse Server file upload operations including full Content-Type header values
Set up alerts for file uploads with extensions matching the newly blocked list (xsd, rng, rdf, owl, mathml)
Monitor for XSS-related security events in web application firewalls and browser-based security telemetry

How to Mitigate CVE-2026-32728

Immediate Actions Required

Upgrade Parse Server to version 9.6.0-alpha.15 or 8.6.41 immediately
Audit existing uploaded files for potentially malicious content, especially files with XML-based extensions
Configure fileUpload.fileExtensions to use an explicit allowlist of only the file extensions required by your application

Patch Information

The Parse Server team has released security patches that address this vulnerability:

Version 9.6.0-alpha.15: Patches for the 9.x alpha branch - View Commit c7599c5
Version 8.6.41: Patches for the stable 8.x branch - View Commit 4f53ab3

The fixes strip MIME parameters from the Content-Type header before validating file extensions and extend the default blocklist to include additional XML-based extensions. For more details, see the GitHub Security Advisory GHSA-42ph-pf9q-cr72.

Workarounds

Configure fileUpload.fileExtensions to use an allowlist approach, specifying only the exact file extensions your application requires rather than relying on the default blocklist
Implement a web application firewall (WAF) rule to strip or reject file uploads with MIME parameters in the Content-Type header
Serve uploaded files from a separate domain or subdomain to prevent same-origin script execution

bash

# Example Parse Server configuration using allowlist approach
# In your Parse Server configuration file, restrict uploads to only needed extensions:
PARSE_SERVER_FILE_UPLOAD_FILE_EXTENSIONS='["jpg", "jpeg", "png", "gif", "pdf", "doc", "docx"]'

# Or in JavaScript configuration:
# fileUpload: {
#   fileExtensions: ['jpg', 'jpeg', 'png', 'gif', 'pdf', 'doc', 'docx']
# }

CVE-2026-32728 Overview

Critical Impact
Attackers can upload malicious files containing executable scripts that execute in victims' browsers under the trusted application domain, potentially leading to session hijacking, credential theft, and unauthorized actions on behalf of authenticated users.

Affected Products

Parse Server versions prior to 9.6.0-alpha.15
Parse Server versions prior to 8.6.41
Parse Server 9.6.0-alpha.1 through 9.6.0-alpha.14

Discovery Timeline

2026-03-18 - CVE-2026-32728 published to NVD
2026-03-19 - Last updated in NVD database

Technical Details for CVE-2026-32728

Vulnerability Analysis

Root Cause

The root cause is twofold:

Improper Content-Type parsing: The extension validation did not strip MIME parameters from the Content-Type header before performing the blocklist check. This allowed attackers to append parameters like ;charset=utf-8 to bypass the regex pattern matching.
Incomplete default blocklist: The default blocklist was missing several XML-based extensions that modern browsers render as active content, including xsd, rng, rdf, rdf+xml, owl, mathml, and mathml+xml.

Attack Vector

The attack is network-based and requires authenticated access with file upload permissions. An attacker exploits this vulnerability by:

Crafting a malicious file (e.g., HTML with embedded JavaScript)
Uploading the file with a modified Content-Type header containing a MIME parameter (e.g., text/html;charset=utf-8)
The extension validation fails to match against the blocklist due to the appended parameter
The malicious file is stored and served under the application's domain
When a victim accesses the file URL, the malicious script executes in their browser context

The following patch shows how the fix addresses the vulnerability by extending the blocklist to include additional XML-based extensions:

javascript

   fileExtensions: {
     env: 'PARSE_SERVER_FILE_UPLOAD_FILE_EXTENSIONS',
-    help: "Sets the allowed file extensions for uploading files. The extension is defined as an array of file extensions, or a regex pattern.<br><br>It is recommended to restrict the file upload extensions as much as possible. HTML, SVG, and XML files are especially problematic as they may be used by an attacker who uploads a HTML form, SVG image, or XML document to look legitimate under your app's domain name, or to compromise the session token of another user via accessing the browser's local storage.<br><br>Defaults to `^(?!([xXsS]?[hH][tT][mM][lL]?(\\\\+[xX][mM][lL])?|[xX][hH][tT]|[sS][vV][gG]([zZ]|\\\\+[xX][mM][lL])?|[xX][mM][lL]|[xX][sS][lL][tT]?(\\\\+[xX][mM][lL])?)$)` which allows any file extension except those that are rendered as website or active content by a web browser.",
+    help: 'Sets the allowed file extensions for uploading files. The extension is defined as an array of file extensions, or a regex pattern.<br><br>It is recommended to only allow the file extensions that your app actually needs, rather than relying on blocking dangerous extensions. This allowlist approach is more secure because new dangerous file extensions may emerge that are not covered by the default blocklist.<br><br>The default blocks the most common file extensions that are known to be rendered as active content by web browsers, such as HTML, SVG, and XML files, which may be used by an attacker to compromise the session token of another user via accessing the browser\'s local storage. The blocked extensions are: `html`, `htm`, `shtml`, `xhtml`, `xhtml+xml`, `xht`, `svg`, `svgz`, `svg+xml`, `xml`, `xsl`, `xslt`, `xslt+xml`, `xsd`, `rng`, `rdf`, `rdf+xml`, `owl`, `mathml`, `mathml+xml`.<br><br>Defaults to `["^(?!([xXsS]?[hH][tT][mM][lL]?(\\\\+[xX][mM][lL])?|[xX][hH][tT]|[sS][vV][gG]([zZ]|\\\\+[xX][mM][lL])?|[xX][mM][lL]|[xX][sS][lL][tT]?(\\\\+[xX][mM][lL])?|[xX][sS][dD]|[rR][nN][gG]|[rR][dD][fF](\\\\+[xX][mM][lL])?|[oO][wW][lL]|[mM][aA][tT][hH][mM][lL](\\\\+[xX][mM][lL])?)$)"]`.',
     action: parsers.arrayParser,
     default: [
-      '^(?!([xXsS]?[hH][tT][mM][lL]?(\\+[xX][mM][lL])?|[xX][hH][tT]|[sS][vV][gG]([zZ]|\\+[xX][mM][lL])?|[xX][mM][lL]|[xX][sS][lL][tT]?(\\+[xX][mM][lL])?)$)',
+      '^(?!([xXsS]?[hH][tT][mM][lL]?(\\+[xX][mM][lL])?|[xX][hH][tT]|[sS][vV][gG]([zZ]|\\+[xX][mM][lL])?|[xX][mM][lL]|[xX][sS][lL][tT]?(\\+[xX][mM][lL])?|[xX][sS][dD]|[rR][nN][gG]|[rR][dD][fF](\\+[xX][mM][lL])?|[oO][wW][lL]|[mM][aA][tT][hH][mM][lL](\\+[xX][mM][lL])?)$)',
     ],
   },
 };

Source: GitHub Commit 4f53ab3

Detection Methods for CVE-2026-32728

Indicators of Compromise

File upload requests with Content-Type headers containing MIME parameters (e.g., ;charset=utf-8, ;boundary=) appended to dangerous content types like text/html or image/svg+xml
Presence of HTML, SVG, or XML-based files (especially xsd, rng, rdf, owl, mathml extensions) in the Parse Server file storage
Unusual file access patterns to uploaded content combined with subsequent suspicious client-side activity

Detection Strategies

Monitor file upload endpoints for Content-Type headers containing semicolons followed by MIME parameters when combined with web content extensions
Implement content inspection on uploaded files to detect embedded JavaScript, event handlers, or other active content regardless of declared extension
Review server logs for file uploads with suspicious content type variations targeting blocked extensions

Monitoring Recommendations

Enable detailed logging on Parse Server file upload operations including full Content-Type header values
Set up alerts for file uploads with extensions matching the newly blocked list (xsd, rng, rdf, owl, mathml)
Monitor for XSS-related security events in web application firewalls and browser-based security telemetry

How to Mitigate CVE-2026-32728

Immediate Actions Required

Upgrade Parse Server to version 9.6.0-alpha.15 or 8.6.41 immediately
Audit existing uploaded files for potentially malicious content, especially files with XML-based extensions
Configure fileUpload.fileExtensions to use an explicit allowlist of only the file extensions required by your application

Patch Information

The Parse Server team has released security patches that address this vulnerability:

Version 9.6.0-alpha.15: Patches for the 9.x alpha branch - View Commit c7599c5
Version 8.6.41: Patches for the stable 8.x branch - View Commit 4f53ab3

Workarounds

Configure fileUpload.fileExtensions to use an allowlist approach, specifying only the exact file extensions your application requires rather than relying on the default blocklist
Implement a web application firewall (WAF) rule to strip or reject file uploads with MIME parameters in the Content-Type header
Serve uploaded files from a separate domain or subdomain to prevent same-origin script execution

bash

# Example Parse Server configuration using allowlist approach
# In your Parse Server configuration file, restrict uploads to only needed extensions:
PARSE_SERVER_FILE_UPLOAD_FILE_EXTENSIONS='["jpg", "jpeg", "png", "gif", "pdf", "doc", "docx"]'

# Or in JavaScript configuration:
# fileUpload: {
#   fileExtensions: ['jpg', 'jpeg', 'png', 'gif', 'pdf', 'doc', 'docx']
# }

CVE-2026-32728: Parse Server XSS Vulnerability via Upload

CVE-2026-32728 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-32728

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-32728

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-32728

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-32728: Parse Server XSS Vulnerability via Upload

CVE-2026-32728 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-32728

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-32728

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-32728

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform