Description
An HTML injection vulnerability in the file view endpoint of LiquidFiles v4.2.7 allows authenticated attackers to execute arbitrary JavaScript in the context of the victim's browser via the uploading of and user interaction with a crafted HTML file.
Published: 2026-07-07
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an HTML injection flaw in the file view endpoint of LiquidFiles version 4.2.7, allowing authenticated users to upload a crafted HTML file. When the recipient opens the file in a browser, the injected HTML causes the browser to execute arbitrary JavaScript in the victim’s context. This can lead to session hijacking, data theft, defacement, or other malicious actions carried out entirely within the victim’s session.

Affected Systems

LiquidFiles, version 4.2.7, which implements the file view endpoint that exposes this injection surface. No other product versions are explicitly referenced in the advisory.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but the lack of public exploitation data does not negate its potential impact. Because the flaw requires authenticated upload access, attackers need to be authenticated as a user of the system. No specific attack vector details beyond this context are disclosed in the description, so it is inferred that an attacker must first upload a specially crafted file and then have another authorized user view it.

Generated by OpenCVE AI on July 8, 2026 at 04:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LiquidFiles to the latest available version that resolves the HTML injection flaw
  • Limit file upload permissions so that only trusted users can upload files that might be viewed by others
  • Disable or restrict the upload of files containing HTML or script tags, enforcing strict MIME type validation
  • Implement a robust Content Security Policy that blocks inline script execution to mitigate the impact of any remaining XSS vectors

Generated by OpenCVE AI on July 8, 2026 at 04:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 05:15:00 +0000

Type Values Removed Values Added
Title Stored XSS via Crafted HTML File Upload
Weaknesses CWE-79

Tue, 07 Jul 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Liquidfiles
Liquidfiles liquidfiles
Vendors & Products Liquidfiles
Liquidfiles liquidfiles

Tue, 07 Jul 2026 22:45:00 +0000

Type Values Removed Values Added
Description An HTML injection vulnerability in the file view endpoint of LiquidFiles v4.2.7 allows authenticated attackers to execute arbitrary JavaScript in the context of the victim's browser via the uploading of and user interaction with a crafted HTML file.
References

Subscriptions

Liquidfiles Liquidfiles
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-07-07T22:05:35.675Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36163

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T05:00:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')