NIXPKGS-2026-0190

GitHub issue published on 9 Feb 2026

Permalink CVE-2026-25154

updated 2 days, 18 hours ago by @jopejoe1 Activity log

Created automatic suggestion 1 week, 5 days ago
@jopejoe1 accepted 3 days ago
@jopejoe1 published on GitHub 2 days, 18 hours ago

LocalSend has Stored XSS in Web Share Interface via Filename

LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a "Share via Link" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch.

Affected products

localsend

==<= 1.17.0

Matching in nixpkgs

pkgs.localsend

Open source cross-platform alternative to AirDrop

nixos-unstable 1.17.0
- nixpkgs-unstable 1.17.0
- nixos-unstable-small 1.17.0
nixos-25.05 1.17.0
- nixos-25.05-small 1.17.0
- nixpkgs-25.05-darwin 1.17.0

Package maintainers

@linsui linsui <linsui555@gmail.com>
@Pandapip1 Gavin John <gavinnjohn@gmail.com>
@sikmir Nikolay Korotkiy <sikmir@disroot.org>

Upstream fix: https://github.com/localsend/localsend/commit/8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c
Upstream advisory: https://github.com/localsend/localsend/security/advisories/GHSA-34v6-52hh-x4r4

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0190

Affected products

Matching in nixpkgs

pkgs.localsend

Package maintainers