CVE-2023-53939

MEDIUM 5.4

TinyWebGallery v2.5 Stored Cross-Site Scripting via Folder Name Parameter

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

TinyWebGallery v2.5 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the folder name parameter. Attackers can edit album folder names with script tags to execute arbitrary JavaScript when other users view the affected gallery pages.

CWE	CWE-79
Vendor	tinywebgallery
Product	tinywebgallery
Published	Dec 18, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for tinywebgallery tinywebgallery

Be the first to know when new medium vulnerabilities affecting tinywebgallery tinywebgallery are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

TinyWebGallery / TinyWebGallery

2.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/51442 tinywebgallery.com: http://www.tinywebgallery.com/ vulncheck.com: https://www.vulncheck.com/advisories/tinywebgallery-stored-cross-site-scripting-via-folder-name-parameter

Credits

Mirabbas Ağalarov