CVE-2022-50891

Owlfiles File Manager 12.0.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the path parameter in HTTP server endpoints. Attackers can craft URLs targeting the download and list endpoints with embedded script tags to execute arbitrary JavaScript in users' browsers.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 2.7

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://apps.apple.com/us/app/owlfiles-file-manager/id510282524	Product
https://www.exploit-db.com/exploits/51036	Exploit
https://www.skyjos.com/	Product
https://www.vulncheck.com/advisories/owlfiles-file-manager-cross-site-scripting-via-http-server	Third Party Advisory
https://www.exploit-db.com/exploits/51036	Exploit

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:skyjos:owlfiles:12.0.1:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:ipados:-:::::::*
	cpe:2.3:o:apple:iphone_os:-:::::::*
	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:apple:tvos:-:::::::*
	cpe:2.3:o:apple:visionos:-:::::::*

History

02 Feb 2026, 16:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~6.2~~	v2 : unknown v3 : 5.0

28 Jan 2026, 20:24

Type	Values Removed	Values Added
First Time		Apple tvos Skyjos owlfiles Apple ipados Skyjos Apple iphone Os Apple visionos Apple macos Apple
CPE		cpe:2.3:o:apple:ipados:-:::::::* cpe:2.3:o:apple:tvos:-:::::::* cpe:2.3:o:apple:iphone_os:-:::::::* cpe:2.3:a:skyjos:owlfiles:12.0.1:::::::* cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:apple:visionos:-:::::::*
References	~~() https://apps.apple.com/us/app/owlfiles-file-manager/id510282524 -~~	() https://apps.apple.com/us/app/owlfiles-file-manager/id510282524 - Product
References	~~() https://www.exploit-db.com/exploits/51036 -~~	() https://www.exploit-db.com/exploits/51036 - Exploit
References	~~() https://www.skyjos.com/ -~~	() https://www.skyjos.com/ - Product
References	~~() https://www.vulncheck.com/advisories/owlfiles-file-manager-cross-site-scripting-via-http-server -~~	() https://www.vulncheck.com/advisories/owlfiles-file-manager-cross-site-scripting-via-http-server - Third Party Advisory

14 Jan 2026, 20:15

Type	Values Removed	Values Added
References	~~() https://www.exploit-db.com/exploits/51036 -~~	() https://www.exploit-db.com/exploits/51036 -

13 Jan 2026, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-13 23:15

Updated : 2026-02-02 16:16

NVD link : CVE-2022-50891

Mitre link : CVE-2022-50891

CVE.ORG link : CVE-2022-50891

JSON object : View

Products Affected

skyjos

owlfiles

apple

iphone_os
visionos
tvos
ipados
macos

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.0 /10