SB2026063054 - Arbitrary file upload in Parse Server



SB2026063054 - Arbitrary file upload in Parse Server

Published: June 30, 2026

Security Bulletin ID SB2026063054
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Arbitrary file upload (CVE-ID: N/A)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script in other users' browsers.

The vulnerability exists due to unrestricted upload of file with dangerous type in the file upload validation and storage handling when uploading a file with an unrecognized extension and a malformed Content-Type. A remote user can upload a crafted file whose body begins with HTML markup to execute arbitrary script in other users' browsers.

Exploitation requires permission to upload files and affects storage adapters that persist and serve the uploaded Content-Type, while the default GridFS storage adapter is not affected.


Remediation

Install update from vendor's website.