{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29971", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-28T15:03:11.279Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-28T13:24:00.686Z"}, "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability exists in WebFileSys version before 2.32.0 and fixed in v.2.32.0. User-controlled input is reflected into HTML and JavaScript contexts without proper output encoding, allowing arbitrary JavaScript execution in the victim's browser via the ftpBackup functionality, authentication input handling, search functionality, and error message rendering components"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.webfilesys.de/"}, {"url": "https://github.com/Tharooon/CVE-2026-29971/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "references": [{"url": "https://github.com/Tharooon/CVE-2026-29971/", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T15:02:37.372905Z", "id": "CVE-2026-29971", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:03:11.279Z"}}]}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability exists in WebFileSys version before 2.32.0 and fixed in v.2.32.0. User-controlled input is reflected into HTML and JavaScript contexts without proper output encoding, allowing arbitrary JavaScript execution in the victim's browser via the ftpBackup functionality, authentication input handling, search functionality, and error message rendering components"}], "id": "CVE-2026-29971", "lastModified": "2026-04-28T20:13:21.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-27T21:16:33.267", "references": [{"source": "cve@mitre.org", "url": "https://github.com/Tharooon/CVE-2026-29971/"}, {"source": "cve@mitre.org", "url": "https://www.webfilesys.de/"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/Tharooon/CVE-2026-29971/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.31.1"}}], "enrichment": {"confidence": 83.0, "confidence_source": "inferred", "scores": [{"score": 83.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "webfilesys", "vendor": "webfilesys"}], "analysis": {"en": {"generated_at": "2026-04-28T23:32:30.699653+00:00", "value": {"mitigation_remediation": ["Upgrade to a patch or newer version of WebFileSys that fixes the XSS flaw.", "Implement proper input validation and output encoding to prevent unsanitized data from being reflected into the browser.", "Deploy a Content Security Policy that restricts script execution to trusted sources to mitigate the impact of accidental or legacy XSS vulnerabilities."], "summary": {"action": "Immediate Patch", "impact": "Remote Script Execution in Browser"}, "threat_synthesis": {"affected_systems": "The affected product is WebFileSys version 2.31.1, a web file management system. No additional vendor or product details are available. The issue is present in that specific version and is likely confined to the web interfaces that accept user input.", "description_and_impact": "WebFileSys versions earlier than 2.32.0 contain a reflected cross\u2011site scripting flaw that lets an attacker inject arbitrary JavaScript into a victim\u2019s browser by providing crafted input. Unsanitized user data is reflected into HTML and JavaScript contexts within the ftpBackup feature, authentication input handling, search functionality, and error message rendering components. When executed, the malicious script can hijack the user\u2019s session, exfiltrate credentials, or deface the web interface, thereby compromising confidentiality, integrity, and the user\u2019s ability to safely interact with the application.", "risk_and_exploitability": "The EPSS score is < 1%, and the vulnerability is not listed in CISA KEV catalog. The CVSS base score of 6.1 indicates a medium severity. Based on the description, the likely attack vector is a reflected XSS scenario where an attacker supplies malicious input via a URL or form, which is immediately reflected back to the victim\u2019s browser. The exploit requires no special permissions beyond the ability to craft the request, making it potentially exploitable by a wide range of attackers."}}}}, "created": "2026-04-28T09:17:41.529630+00:00", "updated": "2026-04-28T23:45:16.045706+00:00", "vendors": ["webfilesys", "webfilesys$PRODUCT$webfilesys"]}