Uploady Vulnerable to Stored Cross-Site Scripting (XSS)_CVE-2026-33653

4.6 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Description

Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScript code, which is later rendered in the application without proper escaping. When the filename is displayed in the file list or file details page, the malicious script executes in the browser of any user who views the page. Version 3.1.2 fixes the issue.

Basic Information

ID CVE-2026-33653

Source GitHub_M

Published Mar 26, 2026 at 21:00

Modified Mar 27, 2026 at 20:16

Affected Product

Vendor farisc0de

Product Uploady

Version < 3.1.2

Affected Versions farisc0de Uploady < 3.1.2

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScript code, which is later rendered in the application without proper escaping. When the filename is displayed in the file list or file details page, the malicious script executes in the browser of any user who views the page. Version 3.1.2 fixes the issue.",
    "published": "2026-03-26T21:00:27.373Z",
    "modified": "2026-03-27T20:16:06.700Z",
    "type": "cve",
    "title": "Uploady Vulnerable to Stored Cross-Site Scripting (XSS)",
    "source": "GitHub_M",
    "references": "https://github.com/farisc0de/Uploady/security/advisories/GHSA-2834-m7xm-fqr5\nhttps://github.com/farisc0de/Uploady/commit/e4b4dbec0b45304b5ab01e36a1003d0c7cc613d5\nhttps://github.com/farisc0de/Uploady/releases/tag/v3.1.2",
    "id": "CVE-2026-33653",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "farisc0de Uploady < 3.1.2",
    "sourceHref": "",
    "cvss": {
        "score": 4.6,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Uploady",
    "version": "< 3.1.2",
    "vendor": "farisc0de",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}