File upload local preview can run embedded scripts after user interaction

GHSA-8796-gc9j-63rv

Published May 17, 2021 · Modified Mar 13, 2026

Description

Impact

When uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file, but only after several user interactions to open the preview in a separate tab. This only impacts the local user while in the process of uploading. It cannot be exploited remotely or by other users.

Patches

This has been fixed by https://github.com/matrix-org/matrix-react-sdk/pull/5981, which is included in 3.21.0.

Workarounds

There are no known workarounds.

References

WEB https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-8796-gc9j-63rv
PACKAGE https://github.com/matrix-org/matrix-react-sdk

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes