CVE-2026-25154 Overview
CVE-2026-25154 is a Cross-Site Scripting (XSS) vulnerability discovered in LocalSend, a free, open-source application that enables users to share files and messages with nearby devices over their local network without requiring an internet connection. The vulnerability exists in versions up to and including 1.17.0, where the "Share via Link" feature fails to properly sanitize user-controlled input when rendering the file list in the web interface.
When a user initiates a "Share via Link" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in app/assets/web/main.js. The handleFilesDisplay function constructs the HTML for the file list by iterating over the files received from the server, but does not adequately sanitize file names or other user-controllable data before inserting them into the DOM.
Critical Impact
Attackers can inject malicious JavaScript code that executes in the context of victims' browsers when they access a shared link, potentially leading to session hijacking, credential theft, or redirection to malicious sites.
Affected Products
- LocalSend versions up to and including 1.17.0
- LocalSend Share via Link feature (app/assets/web/main.js)
- LocalSend local HTTP server component
Discovery Timeline
- 2026-01-30 - CVE CVE-2026-25154 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2026-25154
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The flaw occurs in the client-side JavaScript responsible for rendering shared files in the web-based interface.
When LocalSend hosts files through its "Share via Link" feature, the handleFilesDisplay function in app/assets/web/main.js dynamically constructs HTML elements to display the list of available files. The function iterates over file metadata received from the local HTTP server and directly inserts this data into the DOM without proper encoding or sanitization.
An attacker with the ability to control file names or metadata (such as by having the victim share a maliciously named file) can inject arbitrary JavaScript code that will execute when another user views the shared file listing in their browser. This attack requires user interaction, as the victim must access the shared link generated by LocalSend.
Root Cause
The root cause of this vulnerability lies in the unsafe DOM manipulation practices within the handleFilesDisplay function. Instead of using safe methods like textContent or properly escaping HTML entities, the code constructs HTML strings by concatenating user-controllable data directly into innerHTML or similar DOM insertion points.
This pattern of unsafe string concatenation for HTML generation is a common source of XSS vulnerabilities in JavaScript applications. The file names and potentially other metadata fields are trusted implicitly without validation, allowing script injection through specially crafted file names containing HTML/JavaScript payloads.
Attack Vector
The attack vector for CVE-2026-25154 requires network access and user interaction. An attacker could exploit this vulnerability through the following scenario:
- The attacker creates a file with a malicious name containing JavaScript code (e.g., <img src=x onerror=alert(document.cookie)>.txt)
- The attacker convinces a victim to share files using LocalSend's "Share via Link" feature, including the malicious file
- When any user (including the original sharer) accesses the generated link, the malicious script executes in their browser context
- The injected script can steal cookies, redirect users, or perform actions on behalf of the authenticated user
The vulnerability can also be exploited if the attacker can modify file metadata in transit on the local network, though this would require additional attack prerequisites.
Detection Methods for CVE-2026-25154
Indicators of Compromise
- Unusual file names containing HTML tags or JavaScript syntax (e.g., <script>, onerror=, onclick=)
- HTTP requests to LocalSend's local server containing encoded script payloads in URL parameters
- Browser console errors indicating blocked inline script execution (if CSP is present)
- Unexpected outbound network connections from browsers after accessing LocalSend share links
Detection Strategies
- Monitor local network traffic for LocalSend HTTP server instances hosting files with suspicious naming patterns
- Implement endpoint detection rules to identify files with HTML/JavaScript content in their filenames
- Review browser history and network logs for access to LocalSend share links followed by unexpected requests
- Deploy web application firewall rules to detect XSS payloads in local network HTTP traffic
Monitoring Recommendations
- Enable verbose logging on endpoints running LocalSend to track "Share via Link" sessions
- Configure SentinelOne to monitor process behavior for LocalSend instances spawning HTTP servers
- Implement network segmentation monitoring to detect lateral movement following potential XSS exploitation
- Review user-reported incidents involving unexpected browser behavior after using LocalSend sharing features
How to Mitigate CVE-2026-25154
Immediate Actions Required
- Update LocalSend to a version that includes commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c or later
- Avoid using the "Share via Link" feature until the patch is applied
- Review any files shared via LocalSend for suspicious naming patterns before sharing
- Consider using alternative file sharing methods for sensitive transfers until patched
Patch Information
The LocalSend development team has released a fix in commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c. This patch addresses the XSS vulnerability by implementing proper output encoding in the handleFilesDisplay function, ensuring that user-controllable data is safely escaped before being inserted into the DOM.
Users should update to the latest version of LocalSend that includes this fix. For more details, refer to the GitHub Security Advisory GHSA-34v6-52hh-x4r4 and the security patch commit.
Workarounds
- Disable or avoid using the "Share via Link" feature and use direct device-to-device transfers instead
- Validate all file names before initiating a share session, rejecting files with HTML characters (<, >, ", ', &)
- Use browser extensions or settings that block inline JavaScript execution when accessing LocalSend share links
- Deploy a Content Security Policy (CSP) via browser extension that restricts script execution on localhost pages
# Check LocalSend version and verify patch status
# Verify the installed version includes the security fix
localsend --version
# On systems with git, verify the patch commit is present
# Navigate to LocalSend installation directory and check
git log --oneline | grep 8f3cec85
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
