CVE-2026-33653
Stored XSS in Ulloady File Upload via Malicious Filenames
Publication date: 2026-03-26
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| farisc0de | uploady | to 3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Ulloady, a file uploader script, in versions prior to 3.1.2. It is a Stored Cross-Site Scripting (XSS) issue caused by improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScript code. When this filename is later displayed in the application, the malicious script executes in the browser of any user who views the file list or file details page.
How can this vulnerability impact me? :
The vulnerability can allow attackers to execute malicious scripts in the browsers of users who view the uploaded filenames. This can lead to theft of user credentials, session hijacking, or other malicious actions performed on behalf of the user. It can also damage user trust and potentially compromise the security of the affected application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Ulloady to version 3.1.2 or later, as this version fixes the Stored Cross-Site Scripting (XSS) issue by properly sanitizing filenames during the file upload process.