Submit #641129: simstudioai https://github.com/simstudioai/sim <=1.0.0 Dangerous type of file upload (CWE-434)info

Titlesimstudioai https://github.com/simstudioai/sim <=1.0.0 Dangerous type of file upload (CWE-434)
DescriptionThe project's file upload functionality (/api/files/upload) in versions <=1.0.0 that allows uploading arbitrary HTML files without any security processing, and this functionality can be accessed without any authentication requirements. This allows attackers to upload malicious HTML containing XSS payloads without requiring any account, resulting in a stored XSS vulnerability.
Source⚠️ https://github.com/simstudioai/sim/issues/958
User
 ZAST.AI (UID 87884)
Submission08/25/2025 12:48 (10 months ago)
Moderation09/01/2025 14:38 (7 days later)
StatusAccepted
VulDB entry322115 [SimStudioAI sim up to ed9b9ad83f1a7c61f4392787fb51837d34eeb0af HTML File Parser route.ts import unrestricted upload]
Points20

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!