{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25154", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T15:39:11.822Z", "datePublished": "2026-01-30T21:59:30.234Z", "dateUpdated": "2026-02-02T16:29:18.825Z"}, "containers": {"cna": {"title": "LocalSend has Stored XSS in Web Share Interface via Filename", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/localsend/localsend/security/advisories/GHSA-34v6-52hh-x4r4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/localsend/localsend/security/advisories/GHSA-34v6-52hh-x4r4"}, {"name": "https://github.com/localsend/localsend/commit/8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c", "tags": ["x_refsource_MISC"], "url": "https://github.com/localsend/localsend/commit/8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c"}], "affected": [{"vendor": "localsend", "product": "localsend", "versions": [{"version": "<= 1.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-30T21:59:30.234Z"}, "descriptions": [{"lang": "en", "value": "LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a \"Share via Link\" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch."}], "source": {"advisory": "GHSA-34v6-52hh-x4r4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-02T16:25:11.505933Z", "id": "CVE-2026-25154", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T16:29:18.825Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25154", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-02T16:25:11.505933Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T16:25:12.374Z"}}], "cna": {"title": "LocalSend has Stored XSS in Web Share Interface via Filename", "source": {"advisory": "GHSA-34v6-52hh-x4r4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "localsend", "product": "localsend", "versions": [{"status": "affected", "version": "<= 1.17.0"}]}], "references": [{"url": "https://github.com/localsend/localsend/security/advisories/GHSA-34v6-52hh-x4r4", "name": "https://github.com/localsend/localsend/security/advisories/GHSA-34v6-52hh-x4r4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/localsend/localsend/commit/8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c", "name": "https://github.com/localsend/localsend/commit/8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a \"Share via Link\" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-30T21:59:30.234Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25154", "state": "PUBLISHED", "dateUpdated": "2026-02-02T16:29:18.825Z", "dateReserved": "2026-01-29T15:39:11.822Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-30T21:59:30.234Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:localsend:localsend:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC589644-2FC6-4C09-AC73-266AB31A7E1F", "versionEndIncluding": "1.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a \"Share via Link\" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch."}], "id": "CVE-2026-25154", "lastModified": "2026-02-19T15:15:33.287", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-30T22:15:56.490", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/localsend/localsend/commit/8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/localsend/localsend/security/advisories/GHSA-34v6-52hh-x4r4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:28:03.972194+00:00", "value": {"mitigation_remediation": ["Update LocalSend to the latest available version, which includes a fix that sanitizes filenames in the web share interface.", "Configure local network or firewall settings to restrict access to the built\u2011in HTTP server, limiting the possibility of unintended users visiting the share link.", "Avoid using filenames that contain script tags or special characters when adding files to the share list; rename or sanitize filenames beforehand."], "summary": {"action": "Patch", "impact": "Stored XSS in LocalSend Web Share Interface"}, "threat_synthesis": {"affected_systems": "All installations of LocalSend up to and including version 1.17.0 are affected. The vulnerability resides in the web share interface served by the app\u2019s built\u2011in HTTP server. The flaw is accessible whenever a user initiates a \u201cShare via Link\u201d session, regardless of the host operating system.", "description_and_impact": "A stored cross\u2011site scripting flaw exists in LocalSend\u2019s web share interface. When a file with a maliciously crafted filename is added, the app embeds that filename directly into the HTML list displayed by its local HTTP server. A victim who visits the share link executes the embedded script in the browser context of the LocalSend web interface, enabling arbitrary JavaScript execution that can read or manipulate the page, potentially stealing local data or mimicking user actions.", "risk_and_exploitability": "The CVSS score of 6.1 reflects medium severity, and the EPSS score of <1% indicates a low probability of widespread exploitation, with the vulnerability not listed in the KEV catalog. Attackers can exploit the flaw trivially by providing a file name containing script tags; once a victim opens the generated link on the local network, the malicious script runs. Because the attack requires the victim to visit the local share URL, the risk is moderate but can be significant in environments where devices are exposed to untrusted users or the link is distributed widely."}}}}, "created": "2026-02-02T09:27:13.549821+00:00", "updated": "2026-04-18T14:30:02.946872+00:00", "vendors": ["localsend", "localsend$PRODUCT$localsend"]}