The vulnerability identified as CVE-2026-33653 affects farisc0de's Uploady, a multi-file upload script widely used for managing file uploads in web applications. The core issue is a stored Cross-Site Scripting (XSS) flaw categorized under CWE-79, caused by improper neutralization of input during web page generation. Specifically, Uploady versions prior to 3.1.2 fail to sanitize filenames uploaded by users, allowing an attacker to craft filenames containing malicious JavaScript code. When these filenames are later rendered in the file list or file details pages without proper escaping or encoding, the embedded script executes in the context of the victim's browser. This can lead to theft of session cookies, defacement, or execution of arbitrary client-side code. The attack vector requires the attacker to have at least limited privileges to upload files and relies on user interaction to trigger the payload. The vulnerability has a CVSS v3.1 base score of 4.6, reflecting its medium severity, with an attack vector of network, low attack complexity, and requiring privileges and user interaction. No known exploits have been reported in the wild as of the publication date. The vendor addressed the vulnerability in version 3.1.2 by implementing proper escaping of filenames before rendering them in the UI, effectively mitigating the risk. This vulnerability highlights the importance of rigorous input validation and output encoding in web applications, especially those handling user-generated content such as file uploads.

The primary impact of this vulnerability is the potential for attackers to execute arbitrary JavaScript in the browsers of users who view maliciously named files within the Uploady interface. This can lead to session hijacking, credential theft, unauthorized actions performed on behalf of the user, or delivery of further malware. While the vulnerability does not directly compromise server confidentiality or availability, the client-side impact can be significant, especially in environments where sensitive data or privileged user sessions are involved. Organizations using Uploady in internal or customer-facing portals risk exposing their users to phishing, social engineering, or persistent client-side attacks. The requirement for an attacker to have upload privileges limits the attack surface but does not eliminate risk, as many applications allow authenticated users or even guests to upload files. The medium CVSS score reflects moderate risk, but the potential for chained attacks or exploitation in high-value environments could increase the overall impact. Failure to patch could also damage organizational reputation and user trust if exploited.

Organizations should immediately upgrade Uploady to version 3.1.2 or later to apply the official fix that properly escapes filenames before rendering. Beyond patching, implement strict input validation on filenames to reject or sanitize suspicious characters such as angle brackets, quotes, and script tags. Employ output encoding techniques (e.g., HTML entity encoding) whenever displaying user-supplied data in web pages to prevent script execution. Restrict file upload permissions to trusted users only and monitor upload activity for anomalous behavior. Consider implementing Content Security Policy (CSP) headers to limit the impact of any injected scripts. Regularly audit and test web applications for XSS vulnerabilities, including stored XSS in file upload components. Educate developers on secure coding practices related to input handling and output encoding. Finally, maintain comprehensive logging and alerting to detect potential exploitation attempts promptly.