Low severity2.4NVD Advisory· Published Apr 15, 2024· Updated Apr 15, 2026

CVE-2024-3766

Description

A vulnerability, which was classified as problematic, has been found in slowlyo OwlAdmin up to 3.5.7. Affected by this issue is some unknown functionality of the file /admin-api/upload_image of the component Image File Upload. The manipulation of the argument file leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-260606 is the identifier assigned to this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored cross-site scripting vulnerability in OwlAdmin up to 3.5.7 allows remote attackers to inject arbitrary scripts via crafted image file uploads.

CVE-2024-3766 describes a stored cross-site scripting (XSS) vulnerability in the image file upload functionality of slowlyo OwlAdmin, affecting versions up to 3.5.7. The flaw exists in the /admin-api/upload_image endpoint, where insufficient validation of uploaded file contents permits the injection of malicious script code. An attacker can craft an image file containing payloads such as ` and, upon successful upload, the server returns a URL pointing to an HTML file served from the /storage/images/` directory, which executes the injected script in the browser of any user viewing that resource [1].

Exploitation

This attack can be performed remotely without authentication, as the upload endpoint is accessible to any user who can reach the application interface (the demo environment provides default admin credentials, but the vulnerability itself does not require authentication for initial upload). The attacker intercepts a legitimate image upload request, replaces the file content with the XSS payload, and submits the request. The subsequent stored file, when accessed via the returned URL, renders the script in the victim's browser context, leading to script execution [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of sensitive data such as session tokens, cookies, and personal information, potentially resulting in account takeover or further compromise of the administrative interface. The stored nature of the XSS means that any user visiting the generated HTML page is affected, increasing the blast radius [1].

Mitigation

As of the publication date, a patch has not been released for this vulnerability. The vendor's recommended mitigation includes proper output encoding (e.g., escaping < as <) and strict validation/sanitization of uploaded file content to block script elements. Administrators should restrict access to the upload endpoint and consider using a Web Application Firewall (WAF) to detect and block malicious payloads until an official update is deployed [1].

References

CVE/OwlAdmin-XSS.md at main · fubxx/CVE

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Slowlyo/Owl Admininferred2 versions
<=3.5.7+ 1 more
- (no CPE)range: <=3.5.7
- (no CPE)range: <=3.5.7

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/fubxx/CVE/blob/main/OwlAdmin-XSS.mdnvd
vuldb.comnvd
vuldb.comnvd
vuldb.comnvd

News mentions

No linked articles in our index yet.

cvss	0.156
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000