{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29971", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-28T13:24:00.686Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-28T13:24:00.686Z"}, "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability exists in WebFileSys version before 2.32.0 and fixed in v.2.32.0. User-controlled input is reflected into HTML and JavaScript contexts without proper output encoding, allowing arbitrary JavaScript execution in the victim's browser via the ftpBackup functionality, authentication input handling, search functionality, and error message rendering components"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.webfilesys.de/"}, {"url": "https://github.com/Tharooon/CVE-2026-29971/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability exists in WebFileSys version 2.31.1. User-controlled input is reflected into HTML and JavaScript contexts without proper output encoding, allowing arbitrary JavaScript execution in the victim's browser."}], "id": "CVE-2026-29971", "lastModified": "2026-04-27T21:16:33.267", "metrics": {}, "published": "2026-04-27T21:16:33.267", "references": [{"source": "cve@mitre.org", "url": "https://github.com/Tharooon/CVE-2026-29971/"}, {"source": "cve@mitre.org", "url": "https://www.webfilesys.de/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.31.1"}}], "enrichment": {"confidence": 83.0, "confidence_source": "inferred", "scores": [{"score": 83.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "webfilesys", "vendor": "webfilesys"}], "analysis": {"en": {"generated_at": "2026-04-28T13:18:25.117398+00:00", "value": {"mitigation_remediation": ["Upgrade to a patch or newer version of WebFileSys that fixes the XSS flaw.", "Implement proper input validation and output encoding to prevent unsanitized data from being reflected into the browser.", "Deploy a Content Security Policy that restricts script execution to trusted sources to mitigate the impact of accidental or legacy XSS vulnerabilities."], "summary": {"action": "Immediate Patch", "impact": "Remote Script Execution in Browser"}, "threat_synthesis": {"affected_systems": "The affected product is WebFileSys version 2.31.1, a web file management system. No additional vendor or product details are available. The issue is present in that specific version and is likely confined to the web interfaces that accept user input.", "description_and_impact": "The vulnerability is a reflected cross\u2011site scripting flaw that allows an attacker to inject arbitrary JavaScript code into a victim\u2019s browser by supplying specially crafted input. This benign input is incorporated into HTML and JavaScript contexts without proper encoding, giving the attacker the ability to execute scripts that can hijack user sessions, steal credentials, or deface web content. The attack compromises confidentiality, integrity, and availability of the affected application for users who interact with the vulnerable components.", "risk_and_exploitability": "The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score is not provided. Based on the description, the likely attack vector is a reflected XSS scenario where an attacker supplies malicious input via a URL or form, which is immediately reflected back to the victim\u2019s browser. The exploit requires no special permissions beyond the ability to craft the request, making it potentially exploitable by a wide range of attackers."}}}}, "created": "2026-04-28T09:17:41.529630+00:00", "title": "Reflected Cross\u2011Site Scripting in WebFileSys 2.31.1", "updated": "2026-04-28T13:30:32.084336+00:00", "vendors": ["webfilesys", "webfilesys$PRODUCT$webfilesys"], "weaknesses": ["CWE-79"]}