Parse Server is an open-source backend framework that runs on Node.js and is widely used for mobile and web applications. CVE-2026-31868 is a stored Cross-Site Scripting (XSS) vulnerability affecting parse-server versions >= 9.0.0 and < 9.6.0-alpha.4, and versions below 8.6.30. The vulnerability stems from insufficient input validation and improper neutralization of file uploads with certain extensions or content types that are not blocked by the default fileUpload.fileExtensions configuration. Specifically, attackers can upload files with extensions such as .svgz, .xht, .xml, .xsl, and .xslt, or with content types application/xhtml+xml and application/xslt+xml, which can embed malicious JavaScript code. When a victim accesses the URL of such a file, the browser renders the file and executes the embedded script in the context of the parse-server domain, leading to stored XSS. This can result in session hijacking, unauthorized actions on behalf of users, or redirection to malicious sites. Notably, uploads of .html, .htm, .shtml, .xhtml, and .svg files were already blocked, but the vulnerability arises from the overlooked extensions and content types. Exploitation requires no authentication but does require that a user accesses the malicious file URL. The vulnerability has a CVSS 4.0 base score of 6.3, indicating medium severity, with network attack vector, low complexity, no privileges required, no user interaction required for the attack to succeed once the malicious file is accessed, and high impact on confidentiality, integrity, and availability due to scope change. The issue was fixed in versions 9.6.0-alpha.4 and 8.6.30 by tightening file extension and content type validation.

This vulnerability can have significant impacts on organizations using vulnerable versions of parse-server. Successful exploitation allows attackers to execute arbitrary JavaScript in the security context of the parse-server domain, potentially leading to theft of session tokens, enabling account takeover, unauthorized actions on behalf of users, and redirection to malicious websites. This compromises user confidentiality and integrity of data and can disrupt availability by manipulating application behavior. Since parse-server is used as a backend for many mobile and web applications, the scope of affected systems can be broad, especially for organizations that allow user file uploads without additional filtering. The attack requires no authentication, increasing risk, but does require user interaction to access the malicious file URL. Although no known exploits are reported in the wild yet, the medium severity and ease of exploitation make it a credible threat. Organizations relying on parse-server for critical applications could face reputational damage, data breaches, and regulatory consequences if exploited.

Organizations should immediately upgrade parse-server to versions 9.6.0-alpha.4 or 8.6.30 or later, where the vulnerability is patched. In addition to upgrading, administrators should review and tighten the fileUpload.fileExtensions configuration to explicitly block all potentially dangerous file extensions and content types, including those identified in this vulnerability (.svgz, .xht, .xml, .xsl, .xslt, and related MIME types). Implement additional server-side validation and sanitization of uploaded files to detect and reject files containing executable scripts or unexpected markup. Employ Content Security Policy (CSP) headers to restrict script execution contexts and reduce the impact of any injected scripts. Monitor logs for suspicious file uploads and access patterns to detect exploitation attempts. Educate users to avoid clicking on untrusted URLs and consider implementing user authentication or authorization checks before serving uploaded files. Finally, conduct regular security assessments and penetration testing focused on file upload functionalities.