CVE-2024-43799 MEDIUM

CVE-2024-43799: send vulnerable to template injection that can lead to XSS

Vendor Pillarjs
Product send
Weakness CWE-79 · XSS
Published September 10, 2024
Last update November 3, 2025

CVSS base score

5.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.

Key dates

02Disclosure timeline

September 10, 2024 CVE published
November 3, 2025 Record updated