2 matches found
CVE-2026-55778
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type,...
GHSA-V8X7-R927-CC93 parse-server: Stored XSS via non-standard file extension bypassing file upload extension blocklist
Impact Parse Server's default fileUpload.fileExtensions blocklist is intended to prevent uploading files that browsers render as active content such as HTML and SVG, which can be used to perform stored cross-site scripting XSS attacks against other users. The blocklist could be bypassed by...