TinyWebGallery v2.5 Stored Cross-Site Scripting via Folder Name Parameter

Advisories

severity: medium
date: December 18, 2025
Affecting: TinyWebGallery 2.5
CVE: CVE-2023-53939
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References: ExploitDB-51442
Official Product Homepage
Credit: Mirabbas Ağalarov
Description: TinyWebGallery v2.5 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the folder name parameter. Attackers can edit album folder names with script tags to execute arbitrary JavaScript when other users view the affected gallery pages.