CVE-2026-35200 β Parse Server is an open source backend that can be deployed to anyβ¦
Image via opengraph.githubassets.com
π¨ CVE-2026-35200 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that diff
fix: File upload Content-Type override via extension mismatch (GHSA-vr5f-2r24-w5hc) by mtrezza Β· Pull Request #10383 Β· parse-community/parse-server
github.com
What This Means For You
- New vulnerability disclosed β verify if your stack is exposed.
- New tool or resource available β evaluate for your security workflow.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-35200 | Misconfiguration | Parse Server versions prior to 8.6.73 and 9.7.1-alpha.4. Vulnerability occurs when a file is uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. |
| CVE-2026-35200 | Information Disclosure | Parse Server versions prior to 8.6.73 and 9.7.1-alpha.4. Affected component: File upload functionality. Vulnerability: Mismatched Content-Type header during file upload leading to files being served with an incorrect Content-Type by certain storage adapters (S3, GCS). |
π Recommended Tools
π€
SCW Elite Bot
Get IOC packs, detection rules & premium threat intel β pay with Telegram Stars β
Open Bot β
Source & Attribution
| Source Platform | Telegram |
| Channel | CVE Notify |
| Channel ID | 1129491012 |
| Message ID | 158333 |
| Published | April 07, 2026 at 21:27 UTC |
| Original Link | https://github.com/parse-community/parse-server/pull/10383 |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Found this interesting? Follow us to stay ahead.
Share