A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Modern Image Gallery App version 1.0. This flaw allows attackers to inject malicious JavaScript code into the application via manipulation of the 'filename' parameter within the file upload functionality. Successful exploitation could lead to session hijacking, defacement, or redirection to malicious websites, impacting users of the application. A public proof-of-concept is available.
The XSS vulnerability in Modern Image Gallery App arises from insufficient input validation when handling file uploads. An attacker can craft a malicious filename containing JavaScript code and upload it through the application's file upload feature. When a user views the uploaded file or a page displaying information about it, the injected JavaScript code will execute in their browser context. This allows the attacker to steal session cookies, redirect the user to a phishing site, or modify the content of the page, potentially compromising sensitive data or the integrity of the application. The remote nature of the exploit significantly expands the potential attack surface.
This vulnerability is publicly disclosed and a proof-of-concept exploit is available, indicating a higher likelihood of exploitation. The vulnerability has been added to the CISA KEV catalog. Given the ease of exploitation and the public availability of a PoC, attackers are likely to actively target vulnerable installations of Modern Image Gallery App.
Organizations and individuals using SourceCodester Modern Image Gallery App version 1.0 are at risk, particularly those hosting the application on shared hosting environments where vulnerabilities can be easily exploited. Users who frequently upload files to the application are also at heightened risk.
• php / web:
grep -r "<script" /var/www/modern-image-gallery-app/uploads/*• generic web:
curl -I http://your-modern-image-gallery-app/uploads/malicious_file.php | grep Content-Typedisclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-3070 is to upgrade to a patched version of Modern Image Gallery App. As no fixed version is specified, thoroughly review the vendor's release notes for updates addressing input validation in the file upload functionality. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious filenames containing JavaScript code. Additionally, carefully scrutinize all uploaded files for suspicious content before displaying them to users. Monitor application logs for unusual activity related to file uploads. After upgrade, confirm by attempting a file upload with a known malicious filename and verifying that the JavaScript code is not executed.
将 Modern Image Gallery App 应用程序更新到 1.0 或更高版本,或应用一个补丁来修复 upload.php 文件中的跨站脚本 (XSS) 漏洞。验证和清理用户输入,特别是文件名,以防止恶意代码注入。实施额外的安全措施,例如使用内容安全策略 (Content Security Policy, CSP),以降低 XSS 风险。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-3070 is a cross-site scripting (XSS) vulnerability in Modern Image Gallery App version 1.0, allowing attackers to inject malicious JavaScript code via file uploads.
If you are using Modern Image Gallery App version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of Modern Image Gallery App. Review vendor release notes for details. Implement WAF rules as a temporary workaround.
Yes, a public proof-of-concept is available, indicating a high probability of active exploitation.
Refer to the SourceCodester website and security advisories for updates and official information regarding CVE-2026-3070.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。