CVE-2026-35200

LOW EPSS 5.8%
Published Apr 6, 20262mo ago · Modified Jun 17, 20261w ago
2.1 CVSS 4.0
Low
Find Similar
Published Apr 6, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. This vulnerability is fixed in 8.6.73 and 9.7.1-alpha.4.

CVSS Details

Base Score
2.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
5.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-436

Affected Products 5

VendorProductVersionRange
parseplatformparse-server* <8.6.73
parseplatformparse-server*≥9.0.0  –  <9.7.1
parseplatformparse-server9.7.1any
parseplatformparse-server9.7.1any
parseplatformparse-server9.7.1any

References 3

  • github.com https://github.com/parse-community/parse-server/pull/10383
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/pull/10384
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc
    MitigationPatchVendor Advisory

Remediation

  • github.com https://github.com/parse-community/parse-server/pull/10383
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/pull/10384
    Issue TrackingPatch
  • github.com https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc
    MitigationPatchVendor Advisory