CVE-2026-25154
Unknown Unknown - Not Provided

Cross-Site Scripting in LocalSend HTTP Server File Sharing

Vulnerability report for CVE-2026-25154, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-30

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description

LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a "Share via Link" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-30
Last Modified
2026-02-19
Generated
2026-07-06
AI Q&A
2026-01-31
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
localsend localsend to 1.17.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

LocalSend versions up to 1.17.0 have a vulnerability in the "Share via Link" feature where the app starts a local HTTP server to host files. The client-side JavaScript (in app/assets/web/main.js) constructs the HTML for the file list by iterating over files received from the server, which could lead to security issues. A patch was made in commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c to address this.

Impact Analysis

This vulnerability can impact you by allowing an attacker to potentially manipulate the file list displayed in the web interface, leading to partial confidentiality and integrity loss of data shared via the LocalSend app. Since the vulnerability involves a local HTTP server and client-side code, it could be exploited by nearby attackers on the same network to interfere with file sharing sessions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25154. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart