Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:X/RE:L/U:Amber
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:X/RE:L/U:Amber
Lifecycle Timeline
3DescriptionCVE.org
Mothra would respect a default value given by a website for HTML file upload forms. An attacker could craft a website with a malicious default file path, and then conceal this form element.
AnalysisAI
File disclosure via malicious HTML file upload default values in Mothra, the web browser bundled with the 9front Plan 9 fork, allows a remote unauthenticated attacker to exfiltrate arbitrary local files from a victim's filesystem. By crafting a webpage containing a hidden file input element with a pre-set malicious default path, the attacker can cause Mothra to silently submit a targeted local file to an attacker-controlled server upon user interaction. The CVSS 4.0 E:P supplemental metric indicates publicly available proof-of-concept exploit code exists; no CISA KEV listing is present, suggesting exploitation is not yet confirmed at scale.
Technical ContextAI
Mothra is the native graphical web browser in 9front, a community fork of Bell Labs Plan 9 operating system. The vulnerability arises from Mothra's handling of the HTML 'value' attribute on file input elements (<input type='file' value='...'>) - the browser incorrectly honors a server-supplied default file path rather than requiring the user to manually select a file. The affected product is identified by CPE cpe:2.3:a:9front:9front:*:*:*:*:*:*:*:* spanning all commits prior to the fix commit d145acc9ef0da47131af6ad94e87264e04870d47. No CWE is formally assigned, but the root cause aligns with the class of improper input validation or unauthorized information exposure through browser-side trust of server-controlled file references - conceptually adjacent to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-552 (Files or Directories Accessible to External Parties). The attack requires active user interaction (CVSS UI:A) but no authentication or special network positioning.
RemediationAI
The primary fix is to update Mothra by pulling the 9front source tree to commit d145acc9ef0da47131af6ad94e87264e04870d47 or any later revision, then rebuilding. The upstream fix commit is documented at https://git.9front.org/plan9front/9front/d145acc9ef0da47131af6ad94e87264e04870d47/commit.html. Note that this is a source commit rather than a tagged release, so a patched named release version has not been independently confirmed from the available data. As a compensating control where rebuilding is not immediately possible, users should avoid browsing untrusted or unknown websites with Mothra, particularly any site that presents forms or requests file operations. Disabling or not using Mothra's file upload functionality when visiting untrusted pages reduces exposure, though this may not be granularly configurable without source modification. There are no known side effects to applying the upstream commit fix.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31401
GHSA-38r3-cgcv-g3qp