CVE-2026-25154
📋 TL;DR
LocalSend versions up to 1.17.0 contain a cross-site scripting (XSS) vulnerability in the 'Share via Link' feature. When users share files via link, the web interface improperly sanitizes file names, allowing attackers to inject malicious scripts. This affects all users who share files using the vulnerable versions.
💻 Affected Systems
- LocalSend
📦 What is this software?
Localsend by Localsend
⚠️ Risk & Real-World Impact
Worst Case
An attacker could execute arbitrary JavaScript in the context of the LocalSend web interface, potentially stealing session data, redirecting users to malicious sites, or performing actions on behalf of the user.
Likely Case
Limited impact due to the local network nature of the application, but could enable session hijacking or credential theft if users access the vulnerable web interface.
If Mitigated
With proper input validation and output encoding, the risk is eliminated as malicious scripts would be properly sanitized.
🎯 Exploit Status
Exploitation requires the attacker to be on the same local network and trick a user into accessing a maliciously crafted file share link.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.17.0 (fixed in commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c)
Vendor Advisory: https://github.com/localsend/localsend/security/advisories/GHSA-34v6-52hh-x4r4
Restart Required: Yes
Instructions:
1. Update LocalSend to the latest version. 2. Restart the application. 3. Verify the version is greater than 1.17.0.
🔧 Temporary Workarounds
Disable Share via Link feature
allAvoid using the vulnerable 'Share via Link' functionality until patched
Network segmentation
allRestrict LocalSend traffic to trusted devices only on the local network
🧯 If You Can't Patch
- Disable the 'Share via Link' feature entirely
- Use LocalSend only on isolated, trusted networks with no untrusted devices
🔍 How to Verify
Check if Vulnerable:
Check LocalSend version in application settings or about dialog. If version is 1.17.0 or lower, you are vulnerable.Check Version:
Check application settings or about dialog (no universal command as LocalSend is GUI application)Verify Fix Applied:
After updating, verify version is greater than 1.17.0 and test that file names with special characters display properly without script execution.📡 Detection & Monitoring
Log Indicators:
- Unusual file names containing script tags or JavaScript in LocalSend logs
- Multiple failed attempts to access file share links
Network Indicators:
- HTTP requests to LocalSend web interface with suspicious query parameters
- Unexpected JavaScript execution in LocalSend web sessions
SIEM Query:
Search for LocalSend process activity with file names containing <script> tags or JavaScript patterns