PatchSiren cyber security CVE debrief
CVE-2026-53724 parse-community CVE debrief
CVE-2026-53724 is a low-severity vulnerability in Parse Server, an open-source backend. The issue allows an attacker to bypass the default file upload extension blocklist by appending a trailing dot to a filename whose extension would otherwise be blocked. This can lead to stored XSS when a victim opens the file URL. The vulnerability has been patched in versions 8.6.79 and 9.9.1-alpha.4.
- Vendor
- parse-community
- Product
- parse-server
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Parse Server, especially those hosting it on their own infrastructure, should be aware of this vulnerability and take steps to update to a patched version.
Technical summary
The vulnerability exists in the file upload handling of Parse Server. By appending a trailing dot to a filename with a blocked extension, an attacker can bypass the blocklist check. This causes the extension parser to extract an empty string, short-circuiting the blocklist check. The attacker-controlled Content-Type is then forwarded to the storage adapter unchanged. Storage adapters that persist and serve the provided Content-Type, such as S3 or GCS, serve the file with an active type like image/svg+xml, enabling stored XSS.
Defensive priority
Low
Recommended defensive actions
- Update Parse Server to version 8.6.79 or 9.9.1-alpha.4 or later.
- Review file upload handling and Content-Type headers in your implementation.
Evidence notes
The vulnerability was patched in versions 8.6.79 and 9.9.1-alpha.4. The default GridFS adapter is not affected as it sets X-Content-Type-Options: nosniff on responses.
Official resources
CVE-2026-53724 was published on 2026-06-12T19:16:30.220Z.