CVE-2026-32728: Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries
An attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter (e.g. ;charset=utf-8) to the Content-Type header. This causes the extension validation to fail matching against the blocklist, allowing active content to be stored and served under the application’s domain. In addition, certain XML-based file extensions that can render scripts in web browsers are not included in the default blocklist.
This can lead to stored XSS attacks, compromising session tokens, user credentials, or other sensitive data accessible via the browser’s local storage.
References
- github.com/advisories/GHSA-42ph-pf9q-cr72
- github.com/parse-community/parse-server
- github.com/parse-community/parse-server/commit/4f53ab3cad5502a51a509d53f999e00ff7217b8d
- github.com/parse-community/parse-server/commit/c7599c577a02b97eb5e76d4e20517b0283ae73c8
- github.com/parse-community/parse-server/pull/10191
- github.com/parse-community/parse-server/pull/10192
- github.com/parse-community/parse-server/security/advisories/GHSA-42ph-pf9q-cr72
- nvd.nist.gov/vuln/detail/CVE-2026-32728
Code Behaviors & Features
Detect and mitigate CVE-2026-32728 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →