Parse Server is an open-source backend framework that runs on Node.js and supports file uploads. CVE-2026-31868 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, caused by insufficient sanitization and validation of uploaded files with certain extensions or content types. Specifically, prior to versions 9.6.0-alpha.4 and 8.6.30, the default configuration of the fileUpload.fileExtensions option did not block uploads of files with extensions such as .svgz, .xht, .xml, .xsl, and .xslt, or files with content types application/xhtml+xml and application/xslt+xml when uploaded without extensions. These files can embed malicious JavaScript code. When a victim accesses the URL of such a file hosted on the parse-server domain, the browser renders the file and executes the embedded script in the context of that domain. This enables attackers to perform actions like stealing session tokens, redirecting users to malicious sites, or executing unauthorized actions on behalf of users. The vulnerability is notable because it bypasses existing restrictions that blocked .html, .htm, .shtml, .xhtml, and .svg files, expanding the attack surface. Exploitation requires no privileges or authentication but does require user interaction to access the malicious file URL. The vulnerability has a CVSS 4.0 score of 6.3, reflecting medium severity with network attack vector, low attack complexity, no privileges required, and user interaction needed. No known exploits in the wild have been reported yet. The issue was addressed by tightening the file extension and content type validation in the fixed versions.

This vulnerability can have significant impacts on organizations using affected parse-server versions, especially those exposing file upload functionality to untrusted users. Successful exploitation allows attackers to execute arbitrary JavaScript in the security context of the parse-server domain, leading to session hijacking, unauthorized actions, and user redirection to malicious sites. This compromises confidentiality and integrity of user sessions and data. It may also facilitate further attacks such as phishing or spreading malware. Since parse-server is often used as a backend for mobile and web applications, the impact can extend to end users, damaging trust and causing reputational harm. The vulnerability affects all organizations running vulnerable parse-server versions with default or insufficiently restrictive file upload configurations, regardless of industry. The ease of exploitation (no authentication required) and the potential for widespread impact on user sessions make this a notable risk. However, the requirement for user interaction and the medium CVSS score indicate it is not trivially exploitable at scale without user involvement.

Organizations should immediately upgrade parse-server to version 9.6.0-alpha.4 or later, or 8.6.30 or later, where the vulnerability is fixed. In addition to patching, administrators should review and harden the fileUpload.fileExtensions configuration to explicitly block all potentially dangerous file types beyond those already blocked, including .svgz, .xht, .xml, .xsl, and .xslt, and any other XML-based or scriptable file formats. Implement strict content-type validation on uploads and consider using server-side scanning or sanitization tools to detect and neutralize embedded scripts in uploaded files. Restrict file upload permissions to trusted users where possible and monitor upload logs for suspicious activity. Employ Content Security Policy (CSP) headers to limit the impact of any injected scripts. Educate users to avoid clicking on untrusted links that may lead to malicious file URLs. Finally, conduct regular security assessments and penetration testing focused on file upload functionality to detect similar issues proactively.