Skip to main content

Uploady CVE-2026-33653

| EUVDEUVD-2026-16425 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-26 GitHub_M
4.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.6 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
3.1.2
EUVD ID Assigned
Mar 26, 2026 - 21:31 euvd
EUVD-2026-16425
Analysis Generated
Mar 26, 2026 - 21:31 vuln.today
CVE Published
Mar 26, 2026 - 21:00 nvd
MEDIUM 4.6

DescriptionGitHub Advisory

Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScript code, which is later rendered in the application without proper escaping. When the filename is displayed in the file list or file details page, the malicious script executes in the browser of any user who views the page. Version 3.1.2 fixes the issue.

AnalysisAI

Stored XSS in Uploady file uploader (farisc0de/Uploady versions prior to 3.1.2) allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by uploading files with malicious filenames that are rendered without proper escaping in file list and details pages. The vulnerability requires user interaction (viewing the affected page) and authenticated access, resulting in confidentiality and integrity impact with a CVSS score of 4.6. Vendor-released patch version 3.1.2 is available.

Technical ContextAI

Uploady is a PHP-based file upload utility identified via CPE cpe:2.3:a:farisc0de:uploady:*:*:*:*:*:*:*:* that processes multi-file uploads. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic stored XSS flaw where user-supplied filenames are persisted in the application and subsequently rendered in HTML responses without sanitization or output encoding. When filenames containing JavaScript payloads (e.g., filename.jpg"><script>alert(1)</script>.jpg) are displayed in file listings or detail views, the browser interprets and executes the embedded code within the security context of the application domain. The root cause is insufficient input validation during upload and/or missing output encoding during display rendering.

RemediationAI

Upgrade Uploady to version 3.1.2 or later immediately (see vendor release at https://github.com/farisc0de/Uploady/releases/tag/v3.1.2). Until patching is completed, implement defense-in-depth: enforce strict filename validation and sanitization on upload to reject or normalize filenames containing special characters, HTML entities, or script-like patterns; apply output encoding (HTML entity encoding) when rendering filenames in any HTML context; deploy Content Security Policy (CSP) headers with script-src 'self' and no unsafe-inline to mitigate XSS impact; and restrict file upload access to authenticated and authorized users only. Review the security advisory and commit https://github.com/farisc0de/Uploady/commit/e4b4dbec0b45304b5ab01e36a1003d0c7cc613d5 to understand the fix and validate local remediation.

Share

CVE-2026-33653 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy