CVE-2026-29971

MEDIUM

WebFileSys 2.31.1 - XSS

Title source: llm

Description

A reflected cross-site scripting (XSS) vulnerability exists in WebFileSys version before 2.32.0 and fixed in v.2.32.0. User-controlled input is reflected into HTML and JavaScript contexts without proper output encoding, allowing arbitrary JavaScript execution in the victim's browser via the ftpBackup functionality, authentication input handling, search functionality, and error message rendering components

Exploits (2)

github WRITEUP

by Tharooon · poc

https://github.com/Tharooon/CVE-2026-29971

View Code ZIP pw:eip

nomisec WORKING POC

by tharunchidurala-cyber · poc

https://github.com/tharunchidurala-cyber/BACkupCVE-2026-29971

View Code ZIP pw:eip

References (2)

https://www.webfilesys.de/

https://github.com/Tharooon/CVE-2026-29971/

Scores

CVSS v3 6.1

EPSS 0.0002

EPSS Percentile 3.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Published Apr 27, 2026

Tracked Since Apr 28, 2026