Vulnerability Details CVE-2026-25154
LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a "Share via Link" session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 1.1%
CVSS Severity
CVSS v3 Score 6.1
References
Products affected by CVE-2026-25154
-
cpe:2.3:a:localsend:localsend:-
-
cpe:2.3:a:localsend:localsend:1.10.0
-
cpe:2.3:a:localsend:localsend:1.11.0
-
cpe:2.3:a:localsend:localsend:1.11.1
-
cpe:2.3:a:localsend:localsend:1.12.0
-
cpe:2.3:a:localsend:localsend:1.13.0
-
cpe:2.3:a:localsend:localsend:1.13.1
-
cpe:2.3:a:localsend:localsend:1.14.0
-
cpe:2.3:a:localsend:localsend:1.15.0
-
cpe:2.3:a:localsend:localsend:1.15.1
-
cpe:2.3:a:localsend:localsend:1.15.2
-
cpe:2.3:a:localsend:localsend:1.15.3
-
cpe:2.3:a:localsend:localsend:1.15.4
-
cpe:2.3:a:localsend:localsend:1.16.0
-
cpe:2.3:a:localsend:localsend:1.16.1
-
cpe:2.3:a:localsend:localsend:1.17.0
-
cpe:2.3:a:localsend:localsend:1.3.1
-
cpe:2.3:a:localsend:localsend:1.5.0
-
cpe:2.3:a:localsend:localsend:1.5.2
-
cpe:2.3:a:localsend:localsend:1.6.1
-
cpe:2.3:a:localsend:localsend:1.6.2
-
cpe:2.3:a:localsend:localsend:1.7.0
-
cpe:2.3:a:localsend:localsend:1.8.0
-
cpe:2.3:a:localsend:localsend:1.9.0
-
cpe:2.3:a:localsend:localsend:1.9.1