WebFileSys versions earlier than 2.32.0 contain a reflected cross‑site scripting flaw that lets an attacker inject arbitrary JavaScript into a victim’s browser by providing crafted input. Unsanitized user data is reflected into HTML and JavaScript contexts within the ftpBackup feature, authentication input handling, search functionality, and error message rendering components. When executed, the malicious script can hijack the user’s session, exfiltrate credentials, or deface the web interface, thereby compromising confidentiality, integrity, and the user’s ability to safely interact with the application.

The affected product is WebFileSys version 2.31.1, a web file management system. No additional vendor or product details are available. The issue is present in that specific version and is likely confined to the web interfaces that accept user input.

The EPSS score is < 1%, and the vulnerability is not listed in CISA KEV catalog. The CVSS base score of 6.1 indicates a medium severity. Based on the description, the likely attack vector is a reflected XSS scenario where an attacker supplies malicious input via a URL or form, which is immediately reflected back to the victim’s browser. The exploit requires no special permissions beyond the ability to craft the request, making it potentially exploitable by a wide range of attackers.