Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScript code, which is later rendered in the application without proper escaping. When the filename is displayed in the file list or file details page, the malicious script executes in the browser of any user who views the page. Version 3.1.2 fixes the issue.
AnalysisAI
Stored XSS in Uploady file uploader (farisc0de/Uploady versions prior to 3.1.2) allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by uploading files with malicious filenames that are rendered without proper escaping in file list and details pages. The vulnerability requires user interaction (viewing the affected page) and authenticated access, resulting in confidentiality and integrity impact with a CVSS score of 4.6. Vendor-released patch version 3.1.2 is available.
Technical ContextAI
Uploady is a PHP-based file upload utility identified via CPE cpe:2.3:a:farisc0de:uploady:*:*:*:*:*:*:*:* that processes multi-file uploads. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic stored XSS flaw where user-supplied filenames are persisted in the application and subsequently rendered in HTML responses without sanitization or output encoding. When filenames containing JavaScript payloads (e.g., filename.jpg"><script>alert(1)</script>.jpg) are displayed in file listings or detail views, the browser interprets and executes the embedded code within the security context of the application domain. The root cause is insufficient input validation during upload and/or missing output encoding during display rendering.
RemediationAI
Upgrade Uploady to version 3.1.2 or later immediately (see vendor release at https://github.com/farisc0de/Uploady/releases/tag/v3.1.2). Until patching is completed, implement defense-in-depth: enforce strict filename validation and sanitization on upload to reject or normalize filenames containing special characters, HTML entities, or script-like patterns; apply output encoding (HTML entity encoding) when rendering filenames in any HTML context; deploy Content Security Policy (CSP) headers with script-src 'self' and no unsafe-inline to mitigate XSS impact; and restrict file upload access to authenticated and authorized users only. Review the security advisory and commit https://github.com/farisc0de/Uploady/commit/e4b4dbec0b45304b5ab01e36a1003d0c7cc613d5 to understand the fix and validate local remediation.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16425