Primary

Context

Parse Server Reflected Cross-Site Scripting Vulnerability in Password Reset and Email Verification Pages

Vulnerability

Patched

A reflected cross-site scripting vulnerability has been identified in Parse Server versions prior to 8.6.1 and 9.1.0-alpha.3. This issue occurs in the password reset and email verification HTML pages, where user-controlled values are not properly escaped, allowing for the injection of malicious scripts.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Remediation

Users can upgrade to Parse Server versions 8.6.1 or 9.1.0-alpha.3 to address this vulnerability.

Added: Dec 16, 2025, 1:17 AM

Updated: Dec 16, 2025, 1:17 AM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

1.7

exploitability

6.5

remediation

7.7

relevance

1.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

1.7

exploitability

6.5

remediation

7.7

relevance

1.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Parse Server Reflected Cross-Site Scripting Vulnerability in Password Reset and Email Verification Pages

Vulnerability

Impact

Remediation

Affected Products

Parse Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating