CVE-2026-32728
Published: 18 March 2026
Summary
CVE-2026-32728 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of uploaded file Content-Type headers and extensions to prevent MIME parameter bypasses and storage of dangerous active content.
Mandates secure configuration settings for file upload features using application-specific allowlists instead of incomplete denylists to block dangerous extensions.
Deploys malicious code protection mechanisms to scan and eradicate active content like executable XML scripts in uploads at system entry points.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Parse Server directly enables T1190 via file upload filter bypass; resulting stored XSS on trusted domain facilitates T1185 (session hijacking) and T1539 (web session cookie theft) for credential/data exfiltration.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.15 and 8.6.41, an attacker who is allowed to upload files can bypass the file extension filter by appending a…
more
MIME parameter (e.g. `;charset=utf-8`) to the `Content-Type` header. This causes the extension validation to fail matching against the blocklist, allowing active content to be stored and served under the application's domain. In addition, certain XML-based file extensions that can render scripts in web browsers are not included in the default blocklist. This can lead to stored XSS attacks, compromising session tokens, user credentials, or other sensitive data accessible via the browser's local storage. The fix in versions 9.6.0-alpha.15 and 8.6.41 strips MIME parameters from the `Content-Type` header before validating the file extension against the blocklist. The default blocklist has also been extended to include additional XML-based extensions (`xsd`, `rng`, `rdf`, `rdf+xml`, `owl`, `mathml`, `mathml+xml`) that can render active content in web browsers. Note that the `fileUpload.fileExtensions` option is intended to be configured as an allowlist of file extensions that are valid for a specific application, not as a denylist. The default denylist is provided only as a basic default that covers most common problematic extensions. It is not intended to be an exhaustive list of all potentially dangerous extensions. Developers should not rely on the default value, as new extensions that can render active content in browsers might emerge in the future. As a workaround, configure the `fileUpload.fileExtensions` option to use an allowlist of only the file extensions that your application needs, rather than relying on the default blocklist.
Deeper analysisAI
CVE-2026-32728 affects Parse Server, an open source backend deployable on any Node.js infrastructure, in versions prior to 9.6.0-alpha.15 and 8.6.41. The vulnerability enables attackers permitted to upload files to bypass the file extension filter by appending a MIME parameter, such as ";charset=utf-8", to the Content-Type header. This prevents proper matching against the blocklist, allowing active content to be stored and served under the application's domain. Additionally, the default blocklist omits certain XML-based extensions (xsd, rng, rdf, rdf+xml, owl, mathml, mathml+xml) that can render scripts in browsers, facilitating stored cross-site scripting (XSS) attacks mapped to CWE-79. The issue carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N).
An authenticated attacker with file upload permissions (low privileges required) can exploit this by crafting a malicious file upload request with the modified Content-Type header, evading extension validation. Once uploaded, the file—potentially containing executable scripts via overlooked XML extensions—is served from the trusted application domain. Victim users interacting with the content (user interaction required) trigger stored XSS, enabling theft of session tokens, user credentials, or other sensitive data from browser local storage. The changed scope amplifies impact through cross-origin data exfiltration.
Patches in Parse Server 9.6.0-alpha.15 and 8.6.41 strip MIME parameters from the Content-Type header prior to blocklist validation and extend the default blocklist to include the additional XML extensions. The security advisory emphasizes configuring the fileUpload.fileExtensions option as an application-specific allowlist rather than relying on the default denylist, which is not exhaustive and may miss emerging dangerous extensions. Relevant fixes and details are documented in GitHub commits 4f53ab3cad5502a51a509d53f999e00ff7217b8d and c7599c577a02b97eb5e76d4e20517b0283ae73c8, pull requests 10191 and 10192, and advisory GHSA-42ph-pf9q-cr72.
Details
- CWE(s)