CVE-2026-32728 is a stored cross-site scripting (XSS) vulnerability identified in parse-community's parse-server, an open-source backend framework for Node.js environments. The vulnerability arises from improper neutralization of input during web page generation (CWE-79). Specifically, prior to versions 9.6.0-alpha.15 and 8.6.41, the file upload mechanism fails to correctly validate file extensions because it does not strip MIME parameters appended to the Content-Type header (e.g., ";charset=utf-8"). This allows an attacker with file upload permissions to bypass the file extension blocklist by appending such parameters, enabling the upload and storage of files containing active content such as scripts. Furthermore, the default blocklist does not include several XML-based file extensions (e.g., xsd, rng, rdf, owl, mathml) that can render executable scripts in browsers, further increasing the risk. When these malicious files are served under the application's domain, they can execute in the context of the victim's browser, leading to session hijacking, credential theft, or exposure of sensitive local storage data. The fix implemented in the patched versions involves stripping MIME parameters from the Content-Type header before validating the extension and expanding the blocklist to cover additional XML-based extensions. The vulnerability requires an attacker to have file upload privileges and some user interaction to trigger the malicious script. The CVSS 4.0 base score is 8.3 (high), reflecting network attack vector, low attack complexity, no privileges required beyond upload permission, and partial impact on confidentiality and integrity. Developers are strongly recommended to configure the fileUpload.fileExtensions option as an allowlist tailored to their application's needs rather than relying on the default blocklist, which is not exhaustive and may not cover emerging risky extensions.

This vulnerability poses a significant risk to organizations using vulnerable versions of parse-server, especially those exposing file upload functionality to authenticated users or external parties. Exploitation can lead to stored XSS attacks, enabling attackers to execute arbitrary scripts in the context of the victim's browser. This can result in theft of session tokens, user credentials, or other sensitive data stored locally, potentially leading to account compromise and unauthorized access. The attack undermines the confidentiality and integrity of user data and can facilitate further attacks such as privilege escalation or lateral movement within an organization's infrastructure. Since parse-server is widely used in backend services for mobile and web applications, the impact can be broad, affecting user trust and compliance with data protection regulations. The vulnerability does not directly affect availability but can indirectly cause service disruption through exploitation chains. The ease of exploitation with minimal privileges and no need for complex conditions increases the threat level. Organizations relying on default blocklists without strict allowlists are particularly vulnerable, and failure to patch or mitigate could expose them to targeted or opportunistic attacks.

To mitigate this vulnerability, organizations should immediately upgrade parse-server to version 9.6.0-alpha.15, 8.6.41, or later where the issue is fixed. In addition, developers must configure the fileUpload.fileExtensions option as a strict allowlist containing only the file extensions necessary for their application, rather than relying on the default blocklist. This proactive approach reduces the risk of new or unlisted dangerous extensions being exploited. It is also critical to validate and sanitize all uploaded files on the server side, including stripping or normalizing MIME parameters in the Content-Type header before any extension validation. Implementing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Regular security audits and penetration testing focusing on file upload functionality should be conducted to detect similar issues. Monitoring logs for suspicious file uploads and anomalous user behavior can aid early detection of exploitation attempts. Finally, educating developers about the risks of improper input validation and the limitations of blocklists versus allowlists will improve long-term security posture.