CVE-2026-30948 HIGH

CVE-2026-30948: Parse Server has stored cross-site scripting (XSS) via SVG file upload

Vendor Parse-Community

Product parse-server

Weakness CWE-79 · XSS

Published March 10, 2026

Last update March 10, 2026

View on NVD All CVEs

CVSS base score

8.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N

What the vulnerability does

01Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.4 and 8.6.17, a stored cross-site scripting (XSS) vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with Content-Type: image/svg+xml and without protective headers, causing the browser to execute embedded scripts in the Parse Server origin. This can be exploited to steal session tokens from localStorage and achieve account takeover. The default fileExtensions option blocks HTML file extensions but does not block SVG, which is a well-known XSS vector. All Parse Server deployments where file upload is enabled for authenticated users (the default) are affected. This vulnerability is fixed in 9.5.2-alpha.4 and 8.6.17.

Key dates

02Disclosure timeline

March 10, 2026 CVE published

March 10, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-30948

Related vulnerabilities

Identifiers

CVE CVE-2026-30948

CWE CWE-79

CVSS 8.3 / HIGH

Affected versions

Vendor Parse-Community

Product parse-server

Affected >= 9.0.0 < 9.5.2-alpha.4

Vendor Parse-Community

Product parse-server

Affected < 8.6.17

CVE-2026-30948: Parse Server has stored cross-site scripting (XSS) via SVG file upload

01Description

02Disclosure timeline

03References

04Related CVE