Share
## https://sploitus.com/exploit?id=PACKETSTORM:222116
# CVE-2026-29971
    An attacker can execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking or privilege escalation.
    # CVE-2026-29971
    
    ## Vulnerability
    Reflected Cross-Site Scripting (XSS)
    
    ## Affected Product
    WebFileSys
    
    ## Affected Version
    2.31.1
    
    ## Description
    A reflected cross-site scripting vulnerability exists in WebFileSys
    version 2.31.1. User-controlled input is reflected into HTML and
    JavaScript contexts without proper output encoding, allowing an
    attacker to execute arbitrary JavaScript in the victim's browser.
    
    ## Impact
    An attacker may exploit this issue by inducing a victim to interact
    with a crafted request or link. Successful exploitation can lead to:
    
    - Session hijacking
    - Credential theft
    - Unauthorized actions within the authenticated session
    
    ## Affected Components
    - ftpBackup functionality
    - authentication input handling
    - search functionality
    - error message rendering
    
    ## Steps to Reproduce
    
    1. Navigate to the WebFileSys login page.
    2. Inject the following payload in the affected parameter.
    
    Example payloads which worked:
    <IMG SRC=\"javascript&#058;alert('XSS')\", 
    %3CScRiPt%3Ealert(1)%3C%2FsCriPt%3E, 
    <%<!--'%><script>alert(1);</script -->
    
    
    3. Submit the request.
    4. The payload is reflected and executed in the browser.
    
    ## CVE
    CVE-2026-29971
    
    ## Discoverer
    Tharun Teja Chidurala
    
    ## References
    https://www.cve.org/CVERecord?id=CVE-2026-29971
    
    
    
    --- packet storm appended poc ---
    
    # Proof of Concept
    
    Payload:
    <script>alert(1)</script>
    
    Injected into:
    - login username field
    - search input
    - ftpBackup parameter
    
    Result:
    JavaScript executes in the browser context due to improper output encoding.