Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 03287cf
Author: Manuel
Date: 2026-03-09T23:50:23Z
Commit Message
fix: Stored XSS via file upload of HTML-renderable file types ([GHSA-v5hf-f4c3-m5rv](https://github.com/parse-community/parse-server/security/advisories/GHSA-v5hf-f4c3-m5rv)) (#10162)
Pull Request
PR: #10162 - fix: Stored XSS via file upload of HTML-renderable file types (GHSA-v5hf-f4c3-m5rv)
Labels: state:released-alpha
Description:
Pull Request
Issue
Stored XSS via file upload of HTML-renderable file types ([GHSA-v5hf-f4c3-m5rv](GHSA-v5hf-f4c3-m5rv))
Tasks
<!-- Check completed tasks and delete tasks that don't apply. ...
Analysis
Vulnerability Type: Stored Cross-Site Scripting (XSS)
Severity: High
Description
The patch fixes a stored XSS vulnerability via file uploads of HTML-renderable file types such as .svgz, .xht, .xml, .xsl, and .xslt. Previously, malicious files containing executable scripts could be uploaded and later rendered in users' browsers, allowing attackers to execute arbitrary JavaScript in the context of the application, leading to session hijacking or other attacks. The patch prevents uploads of these dangerous file types by default.
Affected Code
Original behavior allowed uploads of .svgz, .xht, .xml etc. files without restriction, enabling attackers to upload crafted files containing <script>alert(1)</script> or similar malicious code to be stored and served to other users without proper sanitization or blocking.
Proof of Concept
Upload a file named malicious.svgz with content: `<svg xmlns="http://www.w3.org/2000/svg"><script>alert(document.cookie)</script></svg>` via the file upload endpoint; before the patch, the upload succeeds and the file is served as a page rendering the script, executing arbitrary JavaScript in any victim user's browser visiting the file URL.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-10T00:01:27.223Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 03287cf
Author: Manuel
Date: 2026-03-09T23:50:23Z
Commit Message
Pull Request
PR: #10162 - fix: Stored XSS via file upload of HTML-renderable file types (GHSA-v5hf-f4c3-m5rv)
Labels: state:released-alpha
Description:
Pull Request
Issue
Stored XSS via file upload of HTML-renderable file types ([GHSA-v5hf-f4c3-m5rv](GHSA-v5hf-f4c3-m5rv))
Tasks
<!-- Check completed tasks and delete tasks that don't apply. ...
Analysis
Vulnerability Type: Stored Cross-Site Scripting (XSS)
Severity: High
Description
The patch fixes a stored XSS vulnerability via file uploads of HTML-renderable file types such as .svgz, .xht, .xml, .xsl, and .xslt. Previously, malicious files containing executable scripts could be uploaded and later rendered in users' browsers, allowing attackers to execute arbitrary JavaScript in the context of the application, leading to session hijacking or other attacks. The patch prevents uploads of these dangerous file types by default.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-10T00:01:27.223Z