CVE-2026-30948 is a stored cross-site scripting (XSS) vulnerability identified in the parse-community's parse-server, an open-source backend platform running on Node.js. The flaw exists in versions >= 9.0.0 and < 9.5.2-alpha.4, and versions < 8.6.17. It arises because authenticated users can upload SVG files containing embedded JavaScript code. These SVG files are served inline with the MIME type image/svg+xml without any security headers such as Content-Security-Policy or X-Content-Type-Options. As a result, when a victim user accesses the malicious SVG, the browser executes the embedded JavaScript in the context of the parse-server origin. This can lead to theft of session tokens stored in localStorage, enabling attackers to hijack user sessions and perform account takeover. The vulnerability stems from the default fileExtensions configuration, which blocks HTML uploads but does not restrict SVG files, a known vector for XSS attacks. Since file upload is enabled by default for authenticated users, all such deployments are vulnerable unless patched. The vulnerability does not require elevated privileges beyond authentication and does not require user interaction beyond viewing the malicious SVG. The CVSS 4.0 base score is 8.3, reflecting network attack vector, low attack complexity, no privileges required beyond authentication, partial user interaction, and high impact on confidentiality. No public exploits have been reported yet. The issue was reserved on March 7, 2026, and published on March 10, 2026. The fix is included in parse-server versions 9.5.2-alpha.4 and 8.6.17 and later.

This vulnerability poses a significant risk to organizations using parse-server as their backend infrastructure, especially those allowing authenticated users to upload files. Successful exploitation can lead to session token theft and user account takeover, compromising user data confidentiality and integrity. Attackers could impersonate legitimate users, escalate privileges, or perform unauthorized actions within the application. Since the vulnerability affects all deployments with default file upload settings, the attack surface is broad. The impact extends to any web application relying on parse-server for user authentication and data management, potentially affecting customer trust and regulatory compliance. Additionally, compromised accounts could be leveraged for further attacks within the organization’s environment. The lack of protective headers and the inline serving of SVG files exacerbate the risk. Although no known exploits are currently in the wild, the ease of exploitation and high impact make this a critical issue to address promptly.

Organizations should immediately upgrade parse-server to version 9.5.2-alpha.4, 8.6.17, or later where the vulnerability is patched. Until upgrades can be applied, administrators should disable file uploads for authenticated users or restrict allowed file types to exclude SVG files. Implementing strict Content Security Policy (CSP) headers that disallow inline scripts and restrict script sources can mitigate exploitation risk. Additionally, configuring the server to serve SVG files with the Content-Disposition header set to attachment rather than inline can prevent automatic script execution. Employing X-Content-Type-Options: nosniff headers can also reduce risk by preventing MIME type sniffing. Regularly auditing file upload functionality and monitoring logs for suspicious SVG uploads is recommended. Developers should review and harden file validation logic to reject potentially dangerous file types and sanitize all user-supplied content. Finally, educating users about the risks of clicking on untrusted links or files within the application can reduce the likelihood of successful exploitation.