← Retour aux CVEs
CVE-2026-33653
MEDIUM4.6
Description
Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScript code, which is later rendered in the application without proper escaping. When the filename is displayed in the file list or file details page, the malicious script executes in the browser of any user who views the page. Version 3.1.2 fixes the issue.
Details CVE
Score CVSS v3.14.6
SeveriteMEDIUM
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisLOW
Interaction utilisateurREQUIRED
Publie3/26/2026
Derniere modification3/30/2026
Sourcenvd
Observations honeypot0
Faiblesses (CWE)
CWE-79
References
https://github.com/farisc0de/Uploady/commit/e4b4dbec0b45304b5ab01e36a1003d0c7cc613d5(security-advisories@github.com)
https://github.com/farisc0de/Uploady/releases/tag/v3.1.2(security-advisories@github.com)
https://github.com/farisc0de/Uploady/security/advisories/GHSA-2834-m7xm-fqr5(security-advisories@github.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.