CVE-2025-68115 MEDIUM

CVE-2025-68115: Parse Server vulnerable to Cross-Site Scripting (XSS) via Unescaped Mustache Template Variables

Vendor Parse-Community
Product parse-server
Weakness CWE-79 · XSS
Published December 16, 2025
Last update December 16, 2025
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user controlled values that are inserted into the HTML pages. No known workarounds are available.

Key dates

02Disclosure timeline

December 16, 2025 CVE published
December 16, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-37388 WordPress Simple Light Weight Social Share (Tweet, Like, Share and Linkedin) Plugin <= 2.0 is vulnerable to Cross Site Scripting (XSS) CVE-2022-2517 Beaver Builder – WordPress Page Builder <= 2.5.5.2 - Authenticated Stored Cross-Site Scripting via Caption - On Hover CVE-2024-3818 Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 4.5.9 - Authenticated (Contributor+) DOM-Based Cross-Site Scripting via "Social Icons" Block CVE-2022-30686 AEM Reflected XSS Arbitrary code execution CVE-2025-9101 zhenfeng13 My-Blog Tag save cross site scripting