Webform Multiple File Upload
Monthly
Cross-site scripting (XSS) in Drupal 7.x Webform Multiple File Upload module versions 7.x-1.2 through 7.x-1.6 enables unauthenticated attackers to execute arbitrary JavaScript in victims' browsers by uploading files with malicious filenames to Webform nodes where file type validation is disabled. The vulnerability originates in the third-party fyneworks/multifile library's file name renderer. With EPSS at 0.07% (21st percentile) and no public exploit identified at time of analysis, exploitation probability remains low despite the CVSS 7.0 score.
Cross-site scripting (XSS) in Drupal 7.x Webform Multiple File Upload module versions 7.x-1.2 through 7.x-1.6 enables unauthenticated attackers to execute arbitrary JavaScript in victims' browsers by uploading files with malicious filenames to Webform nodes where file type validation is disabled. The vulnerability originates in the third-party fyneworks/multifile library's file name renderer. With EPSS at 0.07% (21st percentile) and no public exploit identified at time of analysis, exploitation probability remains low despite the CVSS 7.0 score.