LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a "Share via Link" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch.
References
| Link | Resource |
|---|---|
| https://github.com/localsend/localsend/commit/8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c | Patch |
| https://github.com/localsend/localsend/security/advisories/GHSA-34v6-52hh-x4r4 | Exploit Vendor Advisory |
Configurations
History
19 Feb 2026, 15:15
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Localsend localsend
Localsend |
|
| References | () https://github.com/localsend/localsend/commit/8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c - Patch | |
| References | () https://github.com/localsend/localsend/security/advisories/GHSA-34v6-52hh-x4r4 - Exploit, Vendor Advisory | |
| CPE | cpe:2.3:a:localsend:localsend:*:*:*:*:*:*:*:* |
30 Jan 2026, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-30 22:15
Updated : 2026-02-19 15:15
NVD link : CVE-2026-25154
Mitre link : CVE-2026-25154
CVE.ORG link : CVE-2026-25154
JSON object : View
Products Affected
localsend
- localsend
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')