Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) via file Parameter | Advisories

Advisories

Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) via file Parameter

severity: medium
date: January 13, 2026
Affecting: Webgrind 1.1
CVE: CVE-2023-54341
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
References: ExploitDB-51074
Webgrind GitHub Repository
Credit: Rafael Pedrero
Description: Webgrind 1.1 and before contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts via the file parameter in index.php. The application does not sufficiently encode user-controlled inputs, allowing attackers to execute arbitrary JavaScript in victim's browsers by crafting malicious URLs.