Description
LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a "Share via Link" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch.
Published: 2026-01-30
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS in LocalSend Web Share Interface
Action: Patch
AI Analysis

Impact

A stored cross‑site scripting flaw exists in LocalSend’s web share interface. When a file with a maliciously crafted filename is added, the app embeds that filename directly into the HTML list displayed by its local HTTP server. A victim who visits the share link executes the embedded script in the browser context of the LocalSend web interface, enabling arbitrary JavaScript execution that can read or manipulate the page, potentially stealing local data or mimicking user actions.

Affected Systems

All installations of LocalSend up to and including version 1.17.0 are affected. The vulnerability resides in the web share interface served by the app’s built‑in HTTP server. The flaw is accessible whenever a user initiates a “Share via Link” session, regardless of the host operating system.

Risk and Exploitability

The CVSS score of 6.1 reflects medium severity, and the EPSS score of <1% indicates a low probability of widespread exploitation, with the vulnerability not listed in the KEV catalog. Attackers can exploit the flaw trivially by providing a file name containing script tags; once a victim opens the generated link on the local network, the malicious script runs. Because the attack requires the victim to visit the local share URL, the risk is moderate but can be significant in environments where devices are exposed to untrusted users or the link is distributed widely.

Generated by OpenCVE AI on April 18, 2026 at 14:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update LocalSend to the latest available version, which includes a fix that sanitizes filenames in the web share interface.
  • Configure local network or firewall settings to restrict access to the built‑in HTTP server, limiting the possibility of unintended users visiting the share link.
  • Avoid using filenames that contain script tags or special characters when adding files to the share list; rename or sanitize filenames beforehand.

Generated by OpenCVE AI on April 18, 2026 at 14:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:localsend:localsend:*:*:*:*:*:*:*:*

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Localsend
Localsend localsend
Vendors & Products Localsend
Localsend localsend

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a "Share via Link" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch.
Title LocalSend has Stored XSS in Web Share Interface via Filename
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Localsend Localsend
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-02T16:29:18.825Z

Reserved: 2026-01-29T15:39:11.822Z

Link: CVE-2026-25154

cve-icon Vulnrichment

Updated: 2026-02-02T16:25:12.374Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-30T22:15:56.490

Modified: 2026-02-19T15:15:33.287

Link: CVE-2026-25154

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:30:02Z

Weaknesses