CVE-2026-25154
Unknown Unknown - Not Provided
Cross-Site Scripting in LocalSend HTTP Server File Sharing

Publication date: 2026-01-30

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description
LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a "Share via Link" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-30
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-01-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25154
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
localsend localsend to 1.17.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

LocalSend versions up to 1.17.0 have a vulnerability in the "Share via Link" feature where the app starts a local HTTP server to host files. The client-side JavaScript (in app/assets/web/main.js) constructs the HTML for the file list by iterating over files received from the server, which could lead to security issues. A patch was made in commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c to address this.

Impact Analysis

This vulnerability can impact you by allowing an attacker to potentially manipulate the file list displayed in the web interface, leading to partial confidentiality and integrity loss of data shared via the LocalSend app. Since the vulnerability involves a local HTTP server and client-side code, it could be exploited by nearby attackers on the same network to interfere with file sharing sessions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25154. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart