CVE-2026-33653

Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScript code, which is later rendered in the application without proper escaping. When the filename is displayed in the file list or file details page, the malicious script executes in the browser of any user who views the page. Version 3.1.2 fixes the issue.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/farisc0de/Uploady/commit/e4b4dbec0b45304b5ab01e36a1003d0c7cc613d5
https://github.com/farisc0de/Uploady/releases/tag/v3.1.2
https://github.com/farisc0de/Uploady/security/advisories/GHSA-2834-m7xm-fqr5

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-26 22:16

Updated : 2026-03-30 13:26

NVD link : CVE-2026-33653

Mitre link : CVE-2026-33653

CVE.ORG link : CVE-2026-33653

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-33653", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.1}]}, "published": "2026-03-26T22:16:29.220", "references": [{"url": "https://github.com/farisc0de/Uploady/commit/e4b4dbec0b45304b5ab01e36a1003d0c7cc613d5", "source": "security-advisories@github.com"}, {"url": "https://github.com/farisc0de/Uploady/releases/tag/v3.1.2", "source": "security-advisories@github.com"}, {"url": "https://github.com/farisc0de/Uploady/security/advisories/GHSA-2834-m7xm-fqr5", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScript code, which is later rendered in the application without proper escaping. When the filename is displayed in the file list or file details page, the malicious script executes in the browser of any user who views the page. Version 3.1.2 fixes the issue."}, {"lang": "es", "value": "Ulloady es un script de carga de archivos con soporte para carga de m\u00faltiples archivos. Una vulnerabilidad de cross-site scripting (XSS) almacenado existe en versiones anteriores a la 3.1.2 debido a una sanitizaci\u00f3n inadecuada de los nombres de archivo durante el proceso de carga de archivos. Un atacante puede cargar un archivo con un nombre de archivo malicioso que contiene c\u00f3digo JavaScript, el cual luego se renderiza en la aplicaci\u00f3n sin el escape adecuado. Cuando el nombre de archivo se muestra en la lista de archivos o en la p\u00e1gina de detalles del archivo, el script malicioso se ejecuta en el navegador de cualquier usuario que ve la p\u00e1gina. La versi\u00f3n 3.1.2 corrige el problema."}], "lastModified": "2026-03-30T13:26:50.827", "sourceIdentifier": "security-advisories@github.com"}