FKIE_CVE-2026-25154

Vulnerability from fkie_nvd - Published: 2026-01-30 22:15 - Updated: 2026-02-19 15:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a "Share via Link" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch.
References
security-advisories@github.comhttps://github.com/localsend/localsend/commit/8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504cPatch
security-advisories@github.comhttps://github.com/localsend/localsend/security/advisories/GHSA-34v6-52hh-x4r4Exploit, Vendor Advisory
Impacted products
Vendor Product Version
localsend localsend *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:localsend:localsend:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC589644-2FC6-4C09-AC73-266AB31A7E1F",
              "versionEndIncluding": "1.17.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a \"Share via Link\" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch."
    },
    {
      "lang": "es",
      "value": "LocalSend es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto que permite a los usuarios compartir archivos y mensajes con dispositivos cercanos a trav\u00e9s de su red local sin necesidad de una conexi\u00f3n a internet. En versiones hasta la 1.17.0 inclusive, cuando un usuario inicia una sesi\u00f3n de \u0027Compartir mediante enlace\u0027, la aplicaci\u00f3n LocalSend inicia un servidor HTTP local para alojar los archivos seleccionados. La l\u00f3gica del lado del cliente para esta interfaz web est\u00e1 contenida en `app/assets/web/main.js`. Tenga en cuenta que en [0], la funci\u00f3n `handleFilesDisplay` construye el HTML para la lista de archivos al iterar sobre los archivos recibidos del servidor. El commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contiene un parche."
    }
  ],
  "id": "CVE-2026-25154",
  "lastModified": "2026-02-19T15:15:33.287",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-30T22:15:56.490",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/localsend/localsend/commit/8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/localsend/localsend/security/advisories/GHSA-34v6-52hh-x4r4"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.