Zyk2507

**Name of the Vulnerable Software and Affected Versions** OpenList Frontend versions prior to 4.0.0-rc.4 **Description** A stored XSS vulnerability exists in the file preview/browsing feature of the application. This occurs when files with a .py extension containing JavaScript code wrapped in `<script>` tags are interpreted and executed as HTML in certain modes. An attacker can place such a .py file in the system via remote channels, and when a victim views the file in browsing mode, the JavaScript is executed in the browser context. This may allow access to user information, including cookies, login state, and localStorage. **Recommendations** * For versions prior to 4.0.0-rc.4, treat all previewed file types as plain text unless explicitly sanitized. * For versions prior to 4.0.0-rc.4, disable rendering modes that can interpret user-uploaded content as HTML. * Update to version 4.0.0-rc.4 or later to patch the vulnerability.