An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
[
{
"product": "statics-server",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "0.0.9"
}
]
}
]