Primary

Context

Projectsend Stored Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in Projectsend version r1295. This issue allows authenticated attackers to inject malicious scripts by manipulating the 'name' parameter in the 'files-edit.php' page. The injected JavaScript executes in the browser of users who view the file, with a particular impact on System Administrators accessing the Dashboard.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the file.

Reproduction

To reproduce this vulnerability, upload a file through the Projectsend application as an authenticated user. In the 'name' parameter, insert a script payload, such as a JavaScript alert. Once the file is uploaded, the injected script will execute when the file is accessed by a user with System Administrator privileges on the Dashboard.

Added: May 10, 2026, 1:32 PM

Updated: May 10, 2026, 1:32 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

6.5

remediation

0.0

relevance

7.9

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

6.5

remediation

0.0

relevance

7.9

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Projectsend Stored Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Projectsend

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating