Self-XSS From File Upload Name


I encountered this type of vulnerability a couple of times but weren’t able to fully exploit it, need help! This vulnerability is self-xss which is triggered from file names. E.g. If I were to upload a file named ‘[xss-payload].png’, it will be executed as javascript and the window will prompt ‘1’. But it only goes as far as that, the file name stored in the server is randomly generated, therefore this isn’t a stored xss. Is there anyway I could exploit this? The Javascript is executed when uploading the file only. I tried chaining with Clickjacking, but website doesn’t allow iframe. And from what I heard, CSRF is not possible since setting a ‘pre-filled’ file name is not possible when uploading a file. Any idea where I should go with this? Can I chain this with other vulnerabilities? Thank you all.

[XSS-Payload] = Any XSS payload as file name will be executed when uploading the file

E.g. File Name: <img src=x onerror=alert(1)>.png