Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-v8x7-r927-cc93 | parse-server: Stored XSS via non-standard file extension bypassing file upload extension blocklist |
Thu, 09 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 08 Jul 2026 23:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Parse Community
Parse Community parse Server |
|
| Vendors & Products |
Parse Community
Parse Community parse Server |
Wed, 08 Jul 2026 21:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type, allowing storage adapters such as S3 and GCS to serve attacker-supplied active content and enable stored cross-site scripting. This issue is fixed in versions 9.9.1-alpha.11 and 8.6.81. | |
| Title | Parse Server: Stored XSS via non-standard file extension bypassing file upload extension blocklist | |
| Weaknesses | CWE-434 | |
| References |
|
|
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-09T13:39:44.881Z
Reserved: 2026-06-17T14:40:28.379Z
Link: CVE-2026-55778
Updated: 2026-07-09T13:39:41.511Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-09T04:00:11Z
Github GHSA