CVE-2026-35200 β Parse Server is an open source backend that can be deployed to anyβ¦
Image via opengraph.githubassets.com
π¨ CVE-2026-35200 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that diff
What This Means For You
- New vulnerability disclosed β verify if your stack is exposed.
- New tool or resource available β evaluate for your security workflow.
Related ATT&CK Techniques
π‘οΈ Detection Rules
1 rule Β· 6 SIEM formats1 detection rule mapped to MITRE ATT&CK. Free Sigma YAML below.
Web Application Exploitation Attempt β CVE-2026-35200
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-35200 | Misconfiguration | Parse Server versions prior to 8.6.73 and 9.7.1-alpha.4. Vulnerability occurs when a file is uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. |
| CVE-2026-35200 | Information Disclosure | Parse Server versions prior to 8.6.73 and 9.7.1-alpha.4. Affected component: File upload functionality. Vulnerability: Mismatched Content-Type header during file upload leading to files being served with an incorrect Content-Type by certain storage adapters (S3, GCS). |
Source & Attribution
| Source Platform | Telegram |
| Channel | CVE Notify |
| Published | April 07, 2026 at 21:27 UTC |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Daily Security Digest β 2026-05-22
13 vulnerability disclosures (5 Critical, 8 High) and 14 curated intelligence stories from 6 sources.
Ghostwriter Targets Ukraine Government with Prometheus Phishing
The Belarus-aligned threat actor, Ghostwriter (also tracked as UAC-0057 and UNC1151), is actively targeting Ukrainian government entities. According to The Hacker News, this group is...
Huawei Router Flaw Triggered Telecom Blackout, SecurityWeek Reports
SecurityWeek reports on a critical flaw in Huawei routers that led to a significant telecom blackout. While details are sparse, the incident underscores the inherent...