Home

Description

PDW File Browser version 1.3 contains stored and reflected cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through file rename and path parameters. Attackers can craft malicious URLs or rename files with XSS payloads to execute arbitrary JavaScript in victims' browsers when they access the file browser.

PUBLISHED Reserved 2026-01-27 | Published 2026-01-28 | Updated 2026-01-28 | Assigner VulnCheck




MEDIUM: 4.8CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Any version
affected

Credits

David Bimmel finder

References

www.exploit-db.com/exploits/48947 (ExploitDB-48947) exploit

github.com/GuidoNeele/PDW-File-Browser (PDW File Browser GitHub Repository) product

www.vulncheck.com/...w-file-browser-cross-site-scripting-xss (VulnCheck Advisory: PDW File Browser <= v1.3 - Cross-Site Scripting (XSS)) third-party-advisory

cve.org (CVE-2020-36988)

nvd.nist.gov (CVE-2020-36988)

Download JSON