CVE-2026-30848: Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory

The PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. pages-secret starts with pages).

This affects any Parse Server deployment with the pages feature enabled (pages.enableRouter: true). Exploitation requires a sibling directory of pagesPath whose name begins with the same string as the pages directory name.