CVE-2026-33653

{"id": "CVE-2026-33653", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2026-03-26T22:16:29.220", "references": [{"url": "https://github.com/farisc0de/Uploady/commit/e4b4dbec0b45304b5ab01e36a1003d0c7cc613d5", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/farisc0de/Uploady/releases/tag/v3.1.2", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/farisc0de/Uploady/security/advisories/GHSA-2834-m7xm-fqr5", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScript code, which is later rendered in the application without proper escaping. When the filename is displayed in the file list or file details page, the malicious script executes in the browser of any user who views the page. Version 3.1.2 fixes the issue."}, {"lang": "es", "value": "Ulloady es un script de carga de archivos con soporte para carga de m\u00faltiples archivos. Una vulnerabilidad de cross-site scripting (XSS) almacenado existe en versiones anteriores a la 3.1.2 debido a una sanitizaci\u00f3n inadecuada de los nombres de archivo durante el proceso de carga de archivos. Un atacante puede cargar un archivo con un nombre de archivo malicioso que contiene c\u00f3digo JavaScript, el cual luego se renderiza en la aplicaci\u00f3n sin el escape adecuado. Cuando el nombre de archivo se muestra en la lista de archivos o en la p\u00e1gina de detalles del archivo, el script malicioso se ejecuta en el navegador de cualquier usuario que ve la p\u00e1gina. La versi\u00f3n 3.1.2 corrige el problema."}], "lastModified": "2026-04-10T14:27:58.470", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:farisc0de:uploady:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6F48E1F2-1F58-4FF9-B8F0-1AFFE0182D5E", "versionEndExcluding": "3.1.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}