CVE-2026-33653 - Vulnerability Details

- Uploady Vulnerable to Stored Cross-Site Scripting (XSS)

Description

Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScript code, which is later rendered in the application without proper escaping. When the filename is displayed in the file list or file details page, the malicious script executes in the browser of any user who views the page. Version 3.1.2 fixes the issue.

Published: 2026-03-26

Score: 4.6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A Stored Cross‑Site Scripting vulnerability exists in Uploady prior to version 3.1.2 because filenames are not properly sanitized. An attacker can upload a file with a malicious filename containing JavaScript. When the filename is displayed in the file list or details page, the script runs in the browser of any user who views that page. The vulnerability does not provide any additional impact beyond the execution of client‑side code in the context of each viewer.

Affected Systems

The affected product is Uploady by farisc0de. All releases before version 3.1.2 are vulnerable; the issue is fixed in 3.1.2 and later. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score is 4.6, indicating moderate severity, while the EPSS score is below 1 %, implying low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is the file‑upload interface; no special privileges beyond normal upload usage are required. The consequence is that any user who views the file’s details may have their browser affected, but no escalated privileges or data leakage are described in the CVE. Because the impact is limited to the browser context of each viewer, the overall risk is considered moderate and depends on the site’s user base and trust model.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

farisc0de

Uploady

affected

Version	Status	Constraints
`< 3.1.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:farisc0de:uploady:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Farisc0de

Uploady

100%

Version	Status	Scheme	Platform
`[0,3.1.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Uploady to version 3.1.2 or later
If upgrading is not immediately possible, block uploads that contain scripts or enforce stricter filename validation

Generated by OpenCVE AI on April 10, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/farisc0de/Uploady/commit/e4b4dbec0b45304b5ab01e36a1003d0c7cc613d5
https://github.com/farisc0de/Uploady/releases/tag/v3.1.2
https://github.com/farisc0de/Uploady/security/advisories/GHSA-2834-m7xm-fqr5

History

Fri, 10 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:farisc0de:uploady::::::::

Sat, 28 Mar 2026 03:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Farisc0de Farisc0de uploady
Vendors & Products		Farisc0de Farisc0de uploady

Thu, 26 Mar 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScript code, which is later rendered in the application without proper escaping. When the filename is displayed in the file list or file details page, the malicious script executes in the browser of any user who views the page. Version 3.1.2 fixes the issue.
Title		Uploady Vulnerable to Stored Cross-Site Scripting (XSS)
Weaknesses		CWE-79
References		https://github.com/farisc0de/Uploady/commit/e4b4dbec0b45304b5ab01e36a1003d0c7cc613d5 https://github.com/farisc0de/Uploady/releases/tag/v3.1.2 https://github.com/farisc0de/Uploady/security/advisories/GHSA-2834-m7xm-fqr5
Metrics		cvssV3_1 `{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}`

Subscriptions

Farisc0de Uploady

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-26T21:00:27.373Z

Updated: 2026-03-27T20:16:06.700Z

Reserved: 2026-03-23T15:23:42.218Z

Link: CVE-2026-33653

Vulnrichment

Updated: 2026-03-27T20:16:03.762Z

NVD

Status : Analyzed

Published: 2026-03-26T22:16:29.220

Modified: 2026-04-10T14:27:58.470

Link: CVE-2026-33653

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-13T14:28:18Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object