CVE-2025-68115
EPSS 0.03%Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables
Published: 12/16/2025Modified: 12/18/2025
Description
## Impact A Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. ## Patches The patch escapes user controlled values that are inserted into the HTML pages. ## Workarounds None. ## Resources - https://github.com/parse-community/parse-server/security/advisories/GHSA-jhgf-2h8h-ggxv - https://github.com/parse-community/parse-server/pull/9985 - https://github.com/parse-community/parse-server/pull/9986
Affected packages (2)
- Bitnami/parsefrom 0, < 8.6.1, >= 9.0.0, < 9.1.0
- npm/parse-serverfrom 0, < 8.6.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-68115
- PATCHhttps://github.com/parse-community/parse-server
- WEBhttps://github.com/parse-community/parse-server/pull/9985
- WEBhttps://github.com/parse-community/parse-server/pull/9986
- WEBhttps://github.com/parse-community/parse-server/security/advisories/GHSA-jhgf-2h8h-ggxv