Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-davb-xyy3-2qf1
Vulnerability ID VCID-davb-xyy3-2qf1
Aliases CVE-2026-35200
GHSA-vr5f-2r24-w5hc
Summary Parse Server: File upload Content-Type override via extension mismatch ### Impact A file can be uploaded with a filename extension that passes the file extension allowlist (e.g., `.txt`) but with a `Content-Type` header that differs from the extension (e.g., `text/html`). The `Content-Type` is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. ### Patches The file upload now derives the Content-Type from the filename extension, overriding any user-provided Content-Type when the file has an extension. ### Workarounds Configure the storage adapter or CDN to derive Content-Type from the filename extension instead of using the stored Content-Type.
Status Published
Exploitability 0.5
Weighted Severity 2.7
Risk 1.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-436 Interpretation Conflict
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2026-35200
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2026-35200
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2026-35200
cvssv3.1_qr LOW https://github.com/advisories/GHSA-vr5f-2r24-w5hc
cvssv4 2.1 https://github.com/parse-community/parse-server
generic_textual LOW https://github.com/parse-community/parse-server
cvssv4 2.1 https://github.com/parse-community/parse-server/pull/10383
generic_textual LOW https://github.com/parse-community/parse-server/pull/10383
ssvc Track https://github.com/parse-community/parse-server/pull/10383
cvssv4 2.1 https://github.com/parse-community/parse-server/pull/10384
generic_textual LOW https://github.com/parse-community/parse-server/pull/10384
ssvc Track https://github.com/parse-community/parse-server/pull/10384
cvssv3.1_qr LOW https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc
cvssv4 2.1 https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc
generic_textual LOW https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc
ssvc Track https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc
cvssv4 2.1 https://nvd.nist.gov/vuln/detail/CVE-2026-35200
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2026-35200
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-35200
https://github.com/parse-community/parse-server
https://github.com/parse-community/parse-server/pull/10383
https://github.com/parse-community/parse-server/pull/10384
https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc
https://nvd.nist.gov/vuln/detail/CVE-2026-35200
GHSA-vr5f-2r24-w5hc https://github.com/advisories/GHSA-vr5f-2r24-w5hc
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/parse-community/parse-server
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/parse-community/parse-server/pull/10383
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/ Found at https://github.com/parse-community/parse-server/pull/10383
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/parse-community/parse-server/pull/10384
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/ Found at https://github.com/parse-community/parse-server/pull/10384
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:02:43Z/ Found at https://github.com/parse-community/parse-server/security/advisories/GHSA-vr5f-2r24-w5hc
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-35200
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.0995
EPSS Score 0.00032
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:53:24.420734+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-vr5f-2r24-w5hc/GHSA-vr5f-2r24-w5hc.json 38.6.0