Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
A reflected cross-site scripting (XSS) vulnerability exists in WebFileSys version 2.31.1. User-controlled input is reflected into HTML and JavaScript contexts without proper output encoding, allowing arbitrary JavaScript execution in the victim's browser.
AnalysisAI
Reflected cross-site scripting (XSS) in WebFileSys 2.31.1 allows remote attackers to execute arbitrary JavaScript in victims' browsers via unencoded user input reflected into HTML and JavaScript contexts. Attack requires victim interaction (UI:R) but affects cross-site scope, enabling session hijacking, credential theft, or malware delivery. EPSS score of 0.01% indicates extremely low baseline exploitation probability despite public exploit code availability on GitHub.
Technical ContextAI
WebFileSys is a file management system that fails to properly sanitize or encode user-controlled input before reflecting it into HTML and JavaScript execution contexts. This is a classic DOM-based and server-side reflection vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation). The vulnerability exists because input validation and output encoding are insufficient - the application accepts arbitrary characters and emits them directly into page markup or script context without HTML entity encoding, URL encoding, or JavaScript string escaping. When a victim clicks a malicious link containing JavaScript payload, the application reflects the payload back to the browser, which interprets and executes it with the victim's session privileges.
RemediationAI
Primary remediation is to upgrade WebFileSys to a patched version released after 2.31.1; consult https://www.webfilesys.de/ and https://vuldb.com/vuln/359880 for confirmed patched versions and release notes. If immediate patching is not feasible, implement the following compensating controls: (1) Deploy a Web Application Firewall (WAF) configured to detect and block reflected XSS payloads (common patterns: <script>, javascript:, onerror=, etc.) - trade-off is potential false positives requiring tuning; (2) Enforce HTTP Content Security Policy (CSP) headers restricting script execution to whitelisted sources, blocking inline scripts and eval - this prevents payload execution even if reflected; (3) Restrict network access to WebFileSys using IP whitelisting or VPN - trade-off is reduced accessibility but strongest mitigation for internal deployments; (4) Conduct user security awareness training on phishing and malicious link risks - essential due to UI:R requirement, as users clicking crafted links are the attack vector. Monitor GitHub (https://github.com/Tharooon/CVE-2026-29971/) for exploit refinements; if active exploitation emerges, prioritize patching.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25916