## https://sploitus.com/exploit?id=1EDF4A6F-5387-55B6-A40A-1DE566B33042
# CVE-2026-29971
An attacker can execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking or privilege escalation.
# CVE-2026-29971
## Vulnerability
Reflected Cross-Site Scripting (XSS)
## Affected Product
WebFileSys
## Affected Version
2.31.1
## Description
A reflected cross-site scripting vulnerability exists in WebFileSys
version 2.31.1. User-controlled input is reflected into HTML and
JavaScript contexts without proper output encoding, allowing an
attacker to execute arbitrary JavaScript in the victim's browser.
## Impact
An attacker may exploit this issue by inducing a victim to interact
with a crafted request or link. Successful exploitation can lead to:
- Session hijacking
- Credential theft
- Unauthorized actions within the authenticated session
## Affected Components
- ftpBackup functionality
- authentication input handling
- search functionality
- error message rendering
## Steps to Reproduce
1. Navigate to the WebFileSys login page.
2. Inject the following payload in the affected parameter.
Example payload:
alert(1)
3. Submit the request.
4. The payload is reflected and executed in the browser.
## CVE
CVE-2026-29971
## Discoverer
Tharun Teja Chidurala
## References
https://www.webfilesys.de/
https://vulners.com/cve/CVE-2026-29971