Cross-site scripting in Parse Server - CVE-2026-32728

 

Cross-site scripting in Parse Server - CVE-2026-32728

Published: April 6, 2026 / Updated: April 7, 2026


Vulnerability identifier: #VU125005
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-32728
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Parse Community
Affected software:
Parse Server

Detailed vulnerability description

The vulnerability allows a remote user to conduct stored cross-site scripting attacks and disclose sensitive information.

The vulnerability exists due to improper neutralization of input during web page generation in the file upload extension validation logic when processing uploaded files with a Content-Type header containing a MIME parameter or XML-based file extensions missing from the default blocklist. A remote user can upload a specially crafted file to conduct stored cross-site scripting attacks and disclose sensitive information.

User interaction is required for a victim to load the stored active content in a browser.


How to mitigate CVE-2026-32728

Install security update from vendor's website.

Sources