{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35200", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T18:48:58.937Z", "datePublished": "2026-04-06T19:47:27.709Z", "dateUpdated": "2026-04-07T14:02:50.601Z"}, "containers": {"cna": {"title": "Parse Server has a file upload Content-Type override via extension mismatch", "problemTypes": [{"descriptions": [{"cweId": "CWE-436", "lang": "en", "description": "CWE-436: Interpretation Conflict", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 2.1, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc"}, {"name": "https://github.com/parse-community/parse-server/pull/10383", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10383"}, {"name": "https://github.com/parse-community/parse-server/pull/10384", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10384"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": ">= 9.0.0, < 9.7.1-alpha.4", "status": "affected"}, {"version": "< 8.6.73", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T19:47:27.709Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. This vulnerability is fixed in 8.6.73 and 9.7.1-alpha.4."}], "source": {"advisory": "GHSA-vr5f-2r24-w5hc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:02:43.253229Z", "id": "CVE-2026-35200", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:02:50.601Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35200", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T18:48:58.937Z", "datePublished": "2026-04-06T19:47:27.709Z", "dateUpdated": "2026-04-07T14:02:50.601Z"}, "containers": {"cna": {"title": "Parse Server has a file upload Content-Type override via extension mismatch", "problemTypes": [{"descriptions": [{"cweId": "CWE-436", "lang": "en", "description": "CWE-436: Interpretation Conflict", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 2.1, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc"}, {"name": "https://github.com/parse-community/parse-server/pull/10383", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10383"}, {"name": "https://github.com/parse-community/parse-server/pull/10384", "tags": ["x_refsource_MISC"], "url": "https://github.com/parse-community/parse-server/pull/10384"}], "affected": [{"vendor": "parse-community", "product": "parse-server", "versions": [{"version": ">= 9.0.0, < 9.7.1-alpha.4", "status": "affected"}, {"version": "< 8.6.73", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T19:47:27.709Z"}, "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. This vulnerability is fixed in 8.6.73 and 9.7.1-alpha.4."}], "source": {"advisory": "GHSA-vr5f-2r24-w5hc", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35200", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T14:02:43.253229Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:02:46.373Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F448C862-A7B1-4475-85E1-48755F259577", "versionEndExcluding": "8.6.73", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "EF03C109-6DCF-4359-A9EC-44C14A80B9FA", "versionEndExcluding": "9.7.1", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.1:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "4F96BFE1-E9D0-4D78-BD1A-1AE1259F3FF9", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.1:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "C80914A3-E910-4C75-A542-768711DF429D", "vulnerable": true}, {"criteria": "cpe:2.3:a:parseplatform:parse-server:9.7.1:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "88D6D996-366F-4683-A60A-ADFAD1909EBD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. This vulnerability is fixed in 8.6.73 and 9.7.1-alpha.4."}], "id": "CVE-2026-35200", "lastModified": "2026-04-07T18:01:08.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T20:16:27.720", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/pull/10383"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/parse-community/parse-server/pull/10384"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-436"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.7.1-alpha.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.6.73)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "parse-server", "source": "cna", "vendor": "parse-community"}, "product": "parse_server", "vendor": "parse_community"}], "analysis": {"en": {"generated_at": "2026-04-07T23:26:26.784059+00:00", "value": {"mitigation_remediation": ["Upgrade to Parse Server 8.6.73 or 9.7.1\u2011alpha.4 or newer.", "If an upgrade cannot be performed immediately, configure any S3 or GCS adapters to override or ignore the client\u2011supplied Content\u2011Type header.", "Verify that your deployment uses the default GridFS adapter or that custom adapters do not serve the client\u2011supplied MIME type.", "Monitor logs for anomalous file uploads and ensure served files match expected MIME types."], "summary": {"action": "Patch", "impact": "MIME Type Manipulation"}, "threat_synthesis": {"affected_systems": "Parse Server from the parse\u2011community project is affected. Versions older than 8.6.73 and older than 9.7.1\u2011alpha.4 are vulnerable. The default GridFS adapter is safe because it determines the MIME type on download, but adapters that store and serve the client\u2011supplied MIME type, such as Amazon S3 or Google Cloud Storage, are at risk.", "description_and_impact": "Parse Server allows uploads of files whose filename extension passes the server\u2019s whitelist but whose Content\u2011Type header differs. The Content\u2011Type supplied by the client is forwarded to the storage adapter without validation. Storage adapters that honor the provided MIME type, like S3 or GCS, serve the file with the mismatched type. The default GridFS adapter derives the type when the file is retrieved, so it is not affected. Based on the description, it is inferred that an attacker could upload a file that looks like a harmless text file but is served as HTML or JavaScript, potentially enabling client\u2011side execution or other content\u2011type based attacks. The flaw does not provide server\u2011side code execution.", "risk_and_exploitability": "CVSS score of 2.1 indicates a low severity impact. EPSS score under 1% suggests low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker must be able to upload a file to the Parse Server instance and use a storage adapter that echoes the uploaded Content\u2011Type header. Under those conditions, the attacker can cause the file to be served with a different MIME type, which might provide a vector for cross\u2011site scripting or other content\u2011type confusion attacks."}}}}, "created": "2026-04-07T06:54:19.827337+00:00", "updated": "2026-04-08T19:50:33.043657+00:00", "vendors": ["parse_community", "parse_community$PRODUCT$parse_server"]}