Description
Projectsend r1295 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input in the 'name' parameter of files-edit.php. Attackers can inject JavaScript payloads through the file name field that execute in the browser when the file is viewed by other users, particularly affecting System Administrator users on the Dashboard page.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Projectsend r1295 stores the value of the 'name' parameter from files‑edit.php without proper sanitization, allowing an authenticated attacker to inject JavaScript that executes whenever the file is viewed. The weakness is identified as CWE‑79.

Affected Systems

The vulnerability affects installations of Projectsend in the r1295 release. No additional version ranges are specified.

Risk and Exploitability

The CVSS score of 5.1 indicates medium impact. EPSS is not available, so the exact exploitation probability cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated to submit the malicious file name, but once the payload is stored it will run in any user’s browser that accesses the file—particularly System Administrator users on the Dashboard page.

Generated by OpenCVE AI on May 10, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Projectsend to a release newer than r1295 where the 'name' input in files‑edit.php is properly sanitized.
  • If an upgrade cannot be performed immediately, restrict access to the file edit functionality so that only trusted administrators can use it or disable the feature entirely.
  • In the interim, implement input validation that removes or encodes HTML tags and special characters from the 'name' field before storing it.

Generated by OpenCVE AI on May 10, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Projectsend r1295 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input in the 'name' parameter of files-edit.php. Attackers can inject JavaScript payloads through the file name field that execute in the browser when the file is viewed by other users, particularly affecting System Administrator users on the Dashboard page.
Title Projectsend r1295 Stored Cross-Site Scripting via files-edit.php
First Time appeared Projectsend
Projectsend projectsend
Weaknesses CWE-79
CPEs cpe:2.3:a:projectsend:projectsend:r1295:*:*:*:*:*:*:*
Vendors & Products Projectsend
Projectsend projectsend
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Projectsend Projectsend
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:44:04.333Z

Reserved: 2026-02-01T11:24:18.718Z

Link: CVE-2021-47947

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:31.180

Modified: 2026-05-10T13:16:31.180

Link: CVE-2021-47947

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T15:30:14Z

Weaknesses