GHSA-p6c5-mjgj-m4rm · Severity: low — Parse Server is affected by a stored cross-site scripting (XSS) vulnerability in versions >= 9.0...
Parse Server is affected by a stored cross-site scripting (XSS) vulnerability in versions >= 9.0.0, < 9.10.0-alpha.2 and <= 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a valid type/subtype media type (e.g., 'image', 'image/', or 'image//svg+xml') bypasses the fileUpload.fileExtensions blocklist and is stored unchanged. On storage adapters that persist and serve the uploaded Content-Type (such as Amazon S3, Google Cloud Storage, or Azure Blob Storage), a browser cannot parse the malformed value and falls back to MIME-sniffing; a file whose body begins with HTML is rendered as HTML, executing embedded script in the application's origin against other users who open the file URL. The default GridFS storage adapter is not affected. Fixed in 9.10.0-alpha.2 and 8.6.84.
Conclusion & alert: CVE-2026-61448 is rated Low Risk (13.8/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.24%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-07-12 | — | 0.24% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 2.1 | 4.0 | LOW |
|
— | — | [email protected] |
GHSA-p6c5-mjgj-m4rm · Severity: low — Parse Server is affected by a stored cross-site scripting (XSS) vulnerability in versions >= 9.0...
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| parseplatform | parse-server | >= 9.0.0, < 9.10.0-alpha.2 | cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:* |
| parseplatform | parse-server | < 8.6.84 | cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:* |