CVE-2026-55778
CVE-2026-55778 is a low-severity vulnerability with a CVSS 4.0 base score of 2.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-434.
Key facts
- Severity: Low (CVSS 4.0 base score 2.1)
- EPSS exploit prediction: 0% (33rd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-434
- Published:
- Last modified:
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type, allowing storage adapters such as S3 and GCS to serve attacker-supplied active content and enable stored cross-site scripting. This issue is fixed in versions 9.9.1-alpha.11 and 8.6.81.
Frequently asked questions
- What is CVE-2026-55778?
- Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type, allowing storage adapters such as S3 and GCS to serve attacker-supplied active content and enable stored cross-site scripting. This issue is fixed in versions 9.9.1-alpha.11 and 8.6.81.
- How severe is CVE-2026-55778?
- CVE-2026-55778 has a CVSS 4.0 base score of 2.1, rated low severity.
- Is CVE-2026-55778 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (33rd percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-55778?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2026-55778 published?
- CVE-2026-55778 was published on 2026-07-08 and last updated on 2026-07-09.
References
- https://github.com/parse-community/parse-server/commit/97c6a78d19f976ec756c1295f08a8fccab90799a
- https://github.com/parse-community/parse-server/commit/be12a60d65b6e140481882037fb896b1f951df50
- https://github.com/parse-community/parse-server/pull/10505
- https://github.com/parse-community/parse-server/pull/10506
- https://github.com/parse-community/parse-server/releases/tag/8.6.81
- https://github.com/parse-community/parse-server/releases/tag/9.9.1-alpha.11
- https://github.com/parse-community/parse-server/security/advisories/GHSA-v8x7-r927-cc93
Other CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities
- CVE-2026-56291 — Critical (CVSS 10.0): The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading…
- CVE-2026-48283 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-48276 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-57700 — Critical (CVSS 10.0): Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This…
- CVE-2025-69129 — Critical (CVSS 10.0): Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7…
- CVE-2026-40772 — Critical (CVSS 10.0): Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.
Browse all CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities →