CVE-2022-50951 in WiFi File Transfer
Summary
by MITRE • 02/01/2026
WiFi File Transfer 1.0.8 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through file and folder names. Attackers can exploit the web server's input validation weakness to execute arbitrary JavaScript when users preview infected file paths, potentially compromising user browser sessions.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/02/2026
The vulnerability identified as CVE-2022-50951 affects WiFi File Transfer version 1.0.8, representing a critical persistent cross-site scripting flaw that exploits weaknesses in input validation mechanisms. This vulnerability resides within the web server component of the application that handles file and folder name inputs, creating an environment where malicious actors can inject persistent script code into the system. The flaw allows attackers to manipulate file and folder names in ways that bypass normal validation checks, enabling the execution of arbitrary JavaScript code when users preview infected file paths within the application's web interface.
The technical implementation of this vulnerability stems from inadequate sanitization of user-supplied input data within the web server's file management functionality. When users navigate through file structures or preview file details, the application fails to properly escape or validate special characters present in file names, creating opportunities for script injection attacks. This weakness manifests specifically in the preview functionality where the application directly renders user-provided file and folder names without sufficient security measures to prevent malicious code execution. The vulnerability is classified as persistent because the malicious scripts remain embedded in the file system and execute every time the affected files are accessed or previewed.
The operational impact of this vulnerability extends beyond simple script execution, as it creates potential for session hijacking and user compromise. When users preview infected file paths, their browsers execute the injected JavaScript code within the context of the application's security boundaries, potentially allowing attackers to steal session cookies, credentials, or other sensitive information. The attack surface is particularly concerning because it leverages legitimate user interactions with the file transfer application, making detection more challenging for security monitoring systems. This vulnerability can be exploited by remote attackers without requiring local access or elevated privileges, making it particularly dangerous in environments where the application serves multiple users.
Mitigation strategies for CVE-2022-50951 should focus on implementing comprehensive input validation and output encoding mechanisms throughout the application's web server components. Security measures must include proper sanitization of all user-supplied file and folder names before storage and rendering, along with the implementation of Content Security Policy headers to prevent unauthorized script execution. Organizations should also consider implementing web application firewalls and regular security scanning to identify similar vulnerabilities in other applications. The vulnerability aligns with CWE-79 which describes cross-site scripting flaws, and represents a significant concern under ATT&CK technique T1566 for phishing with social engineering, as attackers can craft malicious file names to trick users into executing harmful code. Regular application updates and patch management processes should be prioritized to address such vulnerabilities promptly.