CVE-2025-68115 — Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustac

Description

## Impact A Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. ## Patches The patch escapes user controlled values that are inserted into the HTML pages. ## Workarounds None. ## Resources - https://github.com/parse-community/parse-server/security/advisories/GHSA-jhgf-2h8h-ggxv - https://github.com/parse-community/parse-server/pull/9985 - https://github.com/parse-community/parse-server/pull/9986

How to fix CVE-2025-68115

To remediate CVE-2025-68115, upgrade the affected package to a fixed version below.

—upgrade to 8.6.1 or later
—upgrade to 8.6.1 or later

Is CVE-2025-68115 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 8.6.1, >= 9.0.0, < 9.1.0
from 0, < 8.6.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-68115
PATCHgithub.com/parse-community/parse-server
WEBgithub.com/parse-community/parse-server/pull/9985
WEBgithub.com/parse-community/parse-server/pull/9986