CVE-2026-29971

MEDIUM

WebFileSys < 2.32.0 - Reflected Cross-Site Scripting via FTP Backup, Authentication, Search, and Error Handling

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-29971. PoCs published by Tharooon, tharunchidurala-cyber.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-29971, a reflected XSS vulnerability in WebFileSys 2.31.1. It includes payload examples and affected components but lacks functional exploit code.

Description

A reflected cross-site scripting (XSS) vulnerability exists in WebFileSys version before 2.32.0 and fixed in v.2.32.0. User-controlled input is reflected into HTML and JavaScript contexts without proper output encoding, allowing arbitrary JavaScript execution in the victim's browser via the ftpBackup functionality, authentication input handling, search functionality, and error message rendering components

Exploits (2)

github WRITEUP

by Tharooon · poc

https://github.com/Tharooon/CVE-2026-29971

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-29971, a reflected XSS vulnerability in WebFileSys 2.31.1. It includes payload examples and affected components but lacks functional exploit code.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WebFileSys 2.31.1

No auth needed

Prerequisites: victim interaction with crafted link/request

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Apr 28, 2026 Full analysis →

nomisec WORKING POC

by tharunchidurala-cyber · poc

https://github.com/tharunchidurala-cyber/BACkupCVE-2026-29971

View Code ZIP pw:eip

The repository demonstrates a stored XSS vulnerability in BACkup software via injection of a simple JavaScript payload into multiple input fields (login username, search input, and ftpBackup parameter). The lack of proper output encoding allows arbitrary script execution in the browser context.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: BACkup (version unspecified)

No auth needed

Prerequisites: access to vulnerable input fields

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Apr 28, 2026 Full analysis →

References (2)

Core 2

Core References

https://www.webfilesys.de/

https://github.com/Tharooon/CVE-2026-29971/

View Exploit ZIP pw:eip

Scores

CVSS v3 6.1

EPSS 0.0030

EPSS Percentile 21.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Published Apr 27, 2026

Tracked Since Apr 28, 2026