What is the CVSS score of CVE-2026-25154?

CVE-2026-25154 has a CVSS 3.1 base score of 6.1 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Localsend are affected by CVE-2026-25154?

Organizations using versions should be aware of moderate risk from CVE-2026-25154, a cross-site scripting vulnerability rated CVSS 6.1.. A patch is available.

Is there a public PoC exploit available for CVE-2026-25154?

Yes, a public proof-of-concept exploit is available for CVE-2026-25154. Prioritise patching immediately. EPSS: 0.0%.

Localsend CVE-2026-25154

MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-01-30 security-advisories@github.com

XSS Localsend

6.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.1 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:00 vuln.today

PoC Detected

Feb 19, 2026 - 15:15 vuln.today

Public exploit code

Patch released

Feb 19, 2026 - 15:15 nvd

Patch available

CVE Published

Jan 30, 2026 - 22:15 nvd

MEDIUM 6.1

DescriptionGitHub Advisory

LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a "Share via Link" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in app/assets/web/main.js. Note that at [0], the handleFilesDisplay function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch.

AnalysisAI

Cross-site scripting (XSS) in LocalSend up to version 1.17.0 allows unauthenticated attackers to inject malicious scripts through the "Share via Link" web interface, which fails to properly sanitize file names in the file list display. An attacker can craft a malicious file name that executes arbitrary JavaScript in the context of a victim's browser when they access the shared link, potentially leading to session hijacking or credential theft. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	CVSS 6.1 (MEDIUM). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A remote attacker could exploit this vulnerability to share files and messages with nearby devices over their local network without ne.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems running versions and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-25154 vulnerability details – vuln.today

Back