CVE-2026-55778 Overview
CVE-2026-55778 affects Parse Server, an open source backend that runs on Node.js infrastructure. Versions prior to 9.9.1-alpha.11 and 8.6.81 contain a file upload validation flaw. The default fileUpload.fileExtensions blocklist can be bypassed by uploading files with non-standard or compound extensions combined with a dangerous content type. Storage adapters such as Amazon S3 and Google Cloud Storage (GCS) then serve the attacker-supplied active content, enabling stored cross-site scripting (XSS). The vulnerability is classified under [CWE-434] Unrestricted Upload of File with Dangerous Type.
Critical Impact
Authenticated attackers can upload files that bypass extension filtering and are served as active content by object storage adapters, resulting in stored XSS against application users.
Affected Products
- Parse Server versions prior to 8.6.81 (8.x branch)
- Parse Server versions prior to 9.9.1-alpha.11 (9.x branch)
- Deployments using S3 or GCS file storage adapters with default fileUpload.fileExtensions configuration
Discovery Timeline
- 2026-07-08 - CVE-2026-55778 published to the National Vulnerability Database (NVD)
- 2026-07-08 - Last updated in NVD database
- Fix released - Patched in Parse Server 9.9.1-alpha.11 and 8.6.81 via commits 97c6a78d and be12a60d
Technical Details for CVE-2026-55778
Vulnerability Analysis
Parse Server enforces file upload restrictions through a configurable fileUpload.fileExtensions blocklist evaluated in src/Routers/FilesRouter.js. The validation logic inspects the file extension in isolation and does not correlate it against the declared MIME content type. Attackers can submit files with compound extensions such as image.jpg.html or non-standard extensions that do not match any blocked pattern while sending a dangerous Content-Type header such as text/html or application/javascript.
Once stored, adapters like S3 and GCS return the object using the attacker-controlled content type. Browsers render the payload as active content in the origin of the application, producing stored XSS. Because Parse Server frequently backs single-page applications and mobile clients, an XSS payload can pivot into session token theft, API abuse, and authenticated request forgery.
Root Cause
The root cause is incomplete input validation on file uploads. The blocklist checks the extension string but ignores the MIME type and does not normalize compound extensions. This is a classic [CWE-434] unrestricted file upload weakness combined with inconsistent enforcement between the upload validator and the downstream storage adapter.
Attack Vector
Exploitation requires network access to the Parse Server file upload endpoint and low-privilege authenticated access. The attacker crafts an HTTP POST to the /files endpoint with a filename bearing a bypassing extension and a dangerous Content-Type. The uploaded object is stored in the configured adapter and later requested by a victim, which triggers execution in the victim browser context.
// Security patch in src/Routers/FilesRouter.js
// Fix: Stored XSS via non-standard file extension bypassing file upload extension blocklist
const fileExtensions = config.fileUpload?.fileExtensions;
if (!isMaster && fileExtensions) {
+ const mime = (await import('mime')).default;
const isValidExtension = extension => {
return fileExtensions.some(ext => {
if (ext === '*') {
Source: parse-community/parse-server commit 97c6a78d. The patch introduces the mime module so that validation resolves the declared content type against the extension, closing the mismatch that enabled the bypass.
Detection Methods for CVE-2026-55778
Indicators of Compromise
- Uploaded objects in S3 or GCS buckets with compound extensions such as .jpg.html, .png.svg, or .pdf.js
- HTTP POST requests to Parse Server /files/:filename endpoints where the Content-Type header does not match the filename extension
- Objects served from Parse-managed buckets with Content-Type: text/html, image/svg+xml, or application/javascript when the application is expected to store only images or documents
Detection Strategies
- Review Parse Server access logs for POST /parse/files/ requests followed by 200 responses containing suspicious filenames or MIME types.
- Inspect S3 CloudTrail and GCS audit logs for PutObject events referencing double extensions or executable MIME types on file storage buckets.
- Query web server and CDN logs for GET requests to stored file URLs where the response Content-Type is HTML or JavaScript.
Monitoring Recommendations
- Alert on any file object stored with Content-Type: text/html or image/svg+xml in buckets that back Parse Server file storage.
- Baseline the file extensions and MIME types produced by legitimate clients and flag deviations.
- Enable browser Content Security Policy (CSP) reporting to surface script execution originating from file storage domains.
How to Mitigate CVE-2026-55778
Immediate Actions Required
- Upgrade Parse Server to version 8.6.81 for the 8.x branch or 9.9.1-alpha.11 for the 9.x branch.
- Audit existing objects in S3 and GCS buckets used by Parse Server and remove any files with compound or unexpected extensions.
- Rotate session tokens for user accounts that may have loaded attacker-supplied file URLs prior to remediation.
Patch Information
The fix is delivered in Parse Server 8.6.81 and 9.9.1-alpha.11. See the GitHub Security Advisory GHSA-v8x7-r927-cc93 and pull requests #10505 and #10506 for the code changes. The patch, applied in src/Routers/FilesRouter.js, uses the mime module to reconcile the declared content type with the file extension during validation.
Workarounds
- Configure fileUpload.fileExtensions as an allowlist of expected extensions rather than relying on the default blocklist.
- Serve stored files from a sandboxed domain and set Content-Disposition: attachment to prevent inline execution.
- Front the storage adapter with a CDN or proxy that forces safe response Content-Type headers such as application/octet-stream for user-uploaded objects.
# Configuration example: restrict Parse Server uploads to an allowlist
# and enforce content disposition for served files
parse-server \
--appId "$APP_ID" \
--masterKey "$MASTER_KEY" \
--databaseURI "$DB_URI" \
--fileUpload '{"enableForPublic": false, "enableForAnonymousUser": false, "fileExtensions": ["jpg","jpeg","png","gif","pdf"]}'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

