{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33653", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T15:23:42.218Z", "datePublished": "2026-03-26T21:00:27.373Z", "dateUpdated": "2026-03-27T20:16:06.700Z"}, "containers": {"cna": {"title": "Uploady Vulnerable to Stored Cross-Site Scripting (XSS)", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/farisc0de/Uploady/security/advisories/GHSA-2834-m7xm-fqr5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/farisc0de/Uploady/security/advisories/GHSA-2834-m7xm-fqr5"}, {"name": "https://github.com/farisc0de/Uploady/commit/e4b4dbec0b45304b5ab01e36a1003d0c7cc613d5", "tags": ["x_refsource_MISC"], "url": "https://github.com/farisc0de/Uploady/commit/e4b4dbec0b45304b5ab01e36a1003d0c7cc613d5"}, {"name": "https://github.com/farisc0de/Uploady/releases/tag/v3.1.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/farisc0de/Uploady/releases/tag/v3.1.2"}], "affected": [{"vendor": "farisc0de", "product": "Uploady", "versions": [{"version": "< 3.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T21:00:27.373Z"}, "descriptions": [{"lang": "en", "value": "Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScript code, which is later rendered in the application without proper escaping. When the filename is displayed in the file list or file details page, the malicious script executes in the browser of any user who views the page. Version 3.1.2 fixes the issue."}], "source": {"advisory": "GHSA-2834-m7xm-fqr5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T20:15:59.108800Z", "id": "CVE-2026-33653", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:16:06.700Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33653", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T20:15:59.108800Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:16:03.762Z"}}], "cna": {"title": "Uploady Vulnerable to Stored Cross-Site Scripting (XSS)", "source": {"advisory": "GHSA-2834-m7xm-fqr5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "farisc0de", "product": "Uploady", "versions": [{"status": "affected", "version": "< 3.1.2"}]}], "references": [{"url": "https://github.com/farisc0de/Uploady/security/advisories/GHSA-2834-m7xm-fqr5", "name": "https://github.com/farisc0de/Uploady/security/advisories/GHSA-2834-m7xm-fqr5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/farisc0de/Uploady/commit/e4b4dbec0b45304b5ab01e36a1003d0c7cc613d5", "name": "https://github.com/farisc0de/Uploady/commit/e4b4dbec0b45304b5ab01e36a1003d0c7cc613d5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/farisc0de/Uploady/releases/tag/v3.1.2", "name": "https://github.com/farisc0de/Uploady/releases/tag/v3.1.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScript code, which is later rendered in the application without proper escaping. When the filename is displayed in the file list or file details page, the malicious script executes in the browser of any user who views the page. Version 3.1.2 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T21:00:27.373Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33653", "state": "PUBLISHED", "dateUpdated": "2026-03-27T20:16:06.700Z", "dateReserved": "2026-03-23T15:23:42.218Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T21:00:27.373Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScript code, which is later rendered in the application without proper escaping. When the filename is displayed in the file list or file details page, the malicious script executes in the browser of any user who views the page. Version 3.1.2 fixes the issue."}], "id": "CVE-2026-33653", "lastModified": "2026-03-26T22:16:29.220", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-26T22:16:29.220", "references": [{"source": "[email protected]", "url": "https://github.com/farisc0de/Uploady/commit/e4b4dbec0b45304b5ab01e36a1003d0c7cc613d5"}, {"source": "[email protected]", "url": "https://github.com/farisc0de/Uploady/releases/tag/v3.1.2"}, {"source": "[email protected]", "url": "https://github.com/farisc0de/Uploady/security/advisories/GHSA-2834-m7xm-fqr5"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Uploady", "source": "cna", "vendor": "farisc0de"}, "product": "uploady", "vendor": "farisc0de"}], "analysis": {"en": {"generated_at": "2026-03-26T22:53:08.312274+00:00", "value": {"mitigation_remediation": ["Upgrade to Uploady 3.1.2 or later"], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw affects the Uploady file uploader script for all releases prior to version 3.1.2. Any deployment that displays original file names, especially in a public or internal web interface, is vulnerable. The fix is implemented in Uploady 3.1.2 and later versions.", "description_and_impact": "A stored cross\u2011site scripting flaw allows attackers to embed executable JavaScript in file names. When these names appear in the file list or detail pages, the script runs in the browsers of any user who views the page, potentially compromising client\u2011side data such as session tokens or enabling phishing attacks. The vulnerability stems from insufficient sanitization of uploaded file names on the server side.", "risk_and_exploitability": "The CVSS score of 4.6 reflects moderate severity. Exploitation requires the ability to upload or rename files; an attacker who can access the upload interface can craft a malicious filename. EPSS data is not available, and the vulnerability is not listed in the KEV catalog. Nonetheless, the potential for client\u2011side compromise, particularly on exposed interfaces, warrants attention."}}}}, "created": "2026-03-27T08:31:52.177786+00:00", "updated": "2026-03-27T09:23:19.407794+00:00", "vendors": ["farisc0de", "farisc0de$PRODUCT$uploady"]}