Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-53724— Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist

AI Predicted 8.6 Difficulty: Easy EPSS 0.04% · P14

Affected Version Matrix 2

VendorProductVersion RangeStatus
parse-communityparse-server< 8.6.79affected
>= 9.0.0, < 9.9.1-alpha.4affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-53724

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
Source: NVD (National Vulnerability Database)
Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked (e.g. poc.svg.). The trailing dot causes the extension parser to extract an empty string, which short-circuits the blocklist check, and the attacker-controlled Content-Type is forwarded to the storage adapter unchanged. Storage adapters that persist and serve the provided Content-Type (such as S3 or GCS) then serve the file with an active type such as image/svg+xml, enabling stored XSS when a victim opens the file URL. The default GridFS adapter is not affected because it sets X-Content-Type-Options: nosniff on responses. This issue has been patched in versions 8.6.79 and 9.9.1-alpha.4.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
危险类型文件的不加限制上传
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
parse-communityparse-server < 8.6.79 -

II. Public POCs for CVE-2026-53724

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-53724

登录查看更多情报信息。

Patches & Fixes for CVE-2026-53724 (2)

Vendor Advisories for CVE-2026-53724 (1)

Same Patch Batch · parse-community · 2026-06-12 · 6 CVEs total

CVE-2026-53726Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
CVE-2026-53725Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected
CVE-2026-47248Parse Server: GraphQL "Did you mean" validation suggestions disclose schema to unauthentic
CVE-2026-47138Parse Server: Pre-authentication denial of service via client version header regex backtra
CVE-2026-50008Parse Server: Server option routeAllowList is bypassable through batch sub-requests

IV. Related Vulnerabilities

Same product: parse-server
Same vendor: parse-community
Same weakness: CWE-434

V. Comments for CVE-2026-53724

No comments yet

Leave a comment