MEDIUM

GHSA-jhgf-2h8h-ggxv

Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables

Details

## Impact

A Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages.

## Patches

The patch escapes user controlled values that are inserted into the HTML pages.

## Workarounds

None.

## Resources

- https://github.com/parse-community/parse-server/security/advisories/GHSA-jhgf-2h8h-ggxv - https://github.com/parse-community/parse-server/pull/9985 - https://github.com/parse-community/parse-server/pull/9986

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / parse-server

Introduced in: 0 Fixed in: 8.6.1

Fix npm install parse-server@8.6.1

npm / parse-server

Introduced in: 9.0.0 Fixed in: 9.1.0-alpha.3

Fix npm install parse-server@9.1.0-alpha.3

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-jhgf-2h8h-ggxv [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-68115 [ADVISORY]
https://github.com/parse-community/parse-server/pull/9985 [WEB]
https://github.com/parse-community/parse-server/pull/9986 [WEB]
https://github.com/parse-community/parse-server [PACKAGE]