CVE-2026-25154
Cross-Site Scripting in LocalSend HTTP Server File Sharing
Publication date: 2026-01-30
Last updated on: 2026-02-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| localsend | localsend | to 1.17.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
LocalSend versions up to 1.17.0 have a vulnerability in the "Share via Link" feature where the app starts a local HTTP server to host files. The client-side JavaScript (in app/assets/web/main.js) constructs the HTML for the file list by iterating over files received from the server, which could lead to security issues. A patch was made in commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c to address this.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to potentially manipulate the file list displayed in the web interface, leading to partial confidentiality and integrity loss of data shared via the LocalSend app. Since the vulnerability involves a local HTTP server and client-side code, it could be exploited by nearby attackers on the same network to interfere with file sharing sessions.