Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 93b784d
Author: Manuel
Date: 2026-03-08T02:04:59Z
Commit Message
fix: Stored cross-site scripting (XSS) via SVG file upload ([GHSA-hcj7-6gxh-24ww](https://github.com/parse-community/parse-server/security/advisories/GHSA-hcj7-6gxh-24ww)) (#10136)
Pull Request
PR: #10136 - fix: Stored cross-site scripting (XSS) via SVG file upload (GHSA-hcj7-6gxh-24ww)
Labels: state:released-alpha
Description:
Pull Request
Issue
Stored cross-site scripting (XSS) via SVG file upload ([GHSA-hcj7-6gxh-24ww](GHSA-hcj7-6gxh-24ww))
Tasks
<!-- Check completed tasks and delete tasks that don't apply. -->...
Analysis
Vulnerability Type: Stored Cross-Site Scripting (XSS)
Severity: High
Description
The previous code allowed uploading SVG files containing embedded malicious JavaScript, which could be stored and executed in users' browsers when viewing the SVG. This patch blocks SVG file uploads by default, preventing attackers from storing malicious scripts within SVG images and mitigating stored XSS attacks.
Affected Code
/* Prior to the patch, the file upload allowed SVG files without proper blocking or sanitization, enabling upload of files like: <svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg> */
Proof of Concept
Upload a file named malicious.svg with content:<svg xmlns="http://www.w3.org/2000/svg"><script>alert(document.cookie)</script></svg>
Result: The SVG file upload succeeds, storing the malicious SVG on the server.
When a victim user loads or views this SVG, the embedded script executes, displaying the alert and potentially harvesting cookies or performing other malicious actions.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-08T06:00:55.416Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 93b784d
Author: Manuel
Date: 2026-03-08T02:04:59Z
Commit Message
Pull Request
PR: #10136 - fix: Stored cross-site scripting (XSS) via SVG file upload (GHSA-hcj7-6gxh-24ww)
Labels: state:released-alpha
Description:
Pull Request
Issue
Stored cross-site scripting (XSS) via SVG file upload ([GHSA-hcj7-6gxh-24ww](GHSA-hcj7-6gxh-24ww))
Tasks
<!-- Check completed tasks and delete tasks that don't apply. -->...
Analysis
Vulnerability Type: Stored Cross-Site Scripting (XSS)
Severity: High
Description
The previous code allowed uploading SVG files containing embedded malicious JavaScript, which could be stored and executed in users' browsers when viewing the SVG. This patch blocks SVG file uploads by default, preventing attackers from storing malicious scripts within SVG images and mitigating stored XSS attacks.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-08T06:00:55.416Z