CVE-2025-68115

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user controlled values that are inserted into the HTML pages. No known workarounds are available.

Published: Dec 16, 2025
Updated: Jan 3, 2026
CVE: CVE-2025-68115
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
parseplatform / parse-server	-	8.6.1
parseplatform / parse-server	9.0.0	9.0.0.x
parseplatform / parse-server	9.0.0-alpha1	9.0.0-alpha1.x
parseplatform / parse-server	9.0.0-alpha10	9.0.0-alpha10.x
parseplatform / parse-server	9.0.0-alpha11	9.0.0-alpha11.x
parseplatform / parse-server	9.0.0-alpha2	9.0.0-alpha2.x
parseplatform / parse-server	9.0.0-alpha3	9.0.0-alpha3.x
parseplatform / parse-server	9.0.0-alpha4	9.0.0-alpha4.x
parseplatform / parse-server	9.0.0-alpha5	9.0.0-alpha5.x
parseplatform / parse-server	9.0.0-alpha6	9.0.0-alpha6.x
parseplatform / parse-server	9.0.0-alpha7	9.0.0-alpha7.x
parseplatform / parse-server	9.0.0-alpha8	9.0.0-alpha8.x
parseplatform / parse-server	9.0.0-alpha9	9.0.0-alpha9.x
parseplatform / parse-server	9.1.0-alpha1	9.1.0-alpha1.x
parseplatform / parse-server	9.1.0-alpha2	9.1.0-alpha2.x

Vulnerability Database

318,003

CVE-2025-68115

Deep Security Visibility Without the Complexity