# CVE-2026-29971 Vulnerability Summary ## Vulnerability Overview * **Vulnerability Name**: CVE-2026-29971 * **Vulnerability Type**: Reflected Cross-Site Scripting (Reflected XSS) * **Affected Product**: WebFileSys * **Affected Version**: 2.31.1 * **Vulnerability Description**: A reflected cross-site scripting vulnerability exists in WebFileSys version 2.31.1. User-controllable input is reflected into HTML and JavaScript contexts without proper output encoding, allowing attackers to execute arbitrary JavaScript code in the victim's browser. ## Impact Scope * **Potential Consequences**: * Session hijacking * Credential theft * Execution of unauthorized operations within authenticated sessions * **Affected Components**: * ftpBackup feature * Authentication input processing * Search functionality * Error message rendering ## Remediation * **Status**: The page displays "No releases published," and no specific patch download links or code fixes are provided. * **Recommendation**: Users are advised to upgrade to a patched version (if available) or implement strict input validation and output encoding for affected components (such as search and authentication inputs). ## POC / Exploit Code **Reproduction Steps**: 1. Navigate to the WebFileSys login page. 2. Inject the following payload into the affected parameter. 3. Submit the request. 4. The payload will be reflected and executed in the browser. **Example Payload**: ```html <IMG SRC="javascript:alert('XSS');" , %3CScRiPt%3Ealert(1)%3C%2FScRiPt%3E, anything%00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxidz, <% ```