Share
## https://sploitus.com/exploit?id=1EDF4A6F-5387-55B6-A40A-1DE566B33042
# CVE-2026-29971
An attacker can execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking or privilege escalation.

# CVE-2026-29971

## Vulnerability
Reflected Cross-Site Scripting (XSS)

## Affected Product
WebFileSys

## Affected Version
2.31.1

## Description
A reflected cross-site scripting vulnerability exists in WebFileSys
version 2.31.1. User-controlled input is reflected into HTML and
JavaScript contexts without proper output encoding, allowing an
attacker to execute arbitrary JavaScript in the victim's browser.

## Impact
An attacker may exploit this issue by inducing a victim to interact
with a crafted request or link. Successful exploitation can lead to:

- Session hijacking
- Credential theft
- Unauthorized actions within the authenticated session

## Affected Components
- ftpBackup functionality
- authentication input handling
- search functionality
- error message rendering

## Steps to Reproduce

1. Navigate to the WebFileSys login page.
2. Inject the following payload in the affected parameter.

Example payload:

alert(1)

3. Submit the request.
4. The payload is reflected and executed in the browser.

## CVE
CVE-2026-29971

## Discoverer
Tharun Teja Chidurala

## References
https://www.webfilesys.de/
https://vulners.com/cve/CVE-2026-29971