#VU125005 Cross-site scripting in Parse Server - CVE-2026-32728
Published: April 6, 2026 / Updated: April 7, 2026
Vulnerability identifier: #VU125005
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-32728
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Parse Server
Parse Server
Software vendor:
Parse Community
Parse Community
Description
The vulnerability allows a remote user to conduct stored cross-site scripting attacks and disclose sensitive information.
The vulnerability exists due to improper neutralization of input during web page generation in the file upload extension validation logic when processing uploaded files with a Content-Type header containing a MIME parameter or XML-based file extensions missing from the default blocklist. A remote user can upload a specially crafted file to conduct stored cross-site scripting attacks and disclose sensitive information.
User interaction is required for a victim to load the stored active content in a browser.
Remediation
Install security update from vendor's website.