CVE-2026-30948
Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload
Description
### Impact A stored cross-site scripting (XSS) vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with `Content-Type: image/svg+xml` and without protective headers, causing the browser to execute embedded scripts in the Parse Server origin. This can be exploited to steal session tokens from `localStorage` and achieve account takeover. The default `fileExtensions` option blocks HTML file extensions but does not block SVG, which is a well-known XSS vector. All Parse Server deployments where file upload is enabled for authenticated users (the default) are affected. ### Patches The fix adds `svg` (case-insensitive) to the default file extension denylist. The default regex changes from `^(?![xXsS]?[hH][tT][mM][lL]?$)` to `^(?!([xXsS]?[hH][tT][mM][lL]?|[sS][vV][gG])$)`. ### Workarounds Configure the `fileExtensions` option to explicitly block SVG uploads: ```js { fileUpload: { fileExtensions: ['^(?!([xXsS]?[hH][tT][mM][lL]?|[sS][vV][gG])$)'] } } ``` ### References - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-hcj7-6gxh-24ww - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.4 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.17
How to fix CVE-2026-30948
To remediate CVE-2026-30948, upgrade the affected package to a fixed version below.
- —upgrade to 8.6.17 or later
- —upgrade to 9.5.2-alpha.4 or later
Is CVE-2026-30948 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 8.6.17, >= 9.0.0, < 9.5.2
- >= 9.0.0, < 9.5.2-alpha.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N |