static-web-server vulnerable to stored Cross-site Scripting in directory listings via file names
If directory listings are enabled for a directory that an untrusted user has upload privileges for, a malicious file name like <img src=x onerror=alert(1)>.txt will allow JavaScript code execution in the context of the web server’s domain.