What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in smartredfox Pretty file links pretty-file-links allows Stored XSS.This issue affects Pretty file links: from n/a through <= 0.9.
Explanation of Vulnerability in Simple Terms
02Summary
Pretty file links versions 0.9 and earlier contain a cross-site scripting vulnerability. An attacker with low-level site access can inject malicious scripts that execute in other users' browsers when they interact with affected file links. The vulnerability requires user interaction and can affect multiple users across the site.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that run in other users' browsers when they click or view file links.
Potential impact on your site
04Site Impact
Site users' sessions and data could be compromised if they click malicious file links created by an attacker with contributor access.
Conditions required to exploit
05Prerequisites
Attacker needs low-level site access (e.g., contributor role) and the victim must interact with a crafted file link.
Key dates
06Disclosure timeline
March 24, 2025
CVE published
April 28, 2026
Record updated