CVE-2025-52902
published 2025-06-26CVE-2025-52902: File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The Markdown…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.27%
17.8th percentile
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The Markdown preview function of File Browser prior to v2.33.7 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser. Version 2.33.7 contains a fix for the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filebrowser | filebrowser | < 2.33.7 | 2.33.7 |
| github.com | filebrowser_filebrowser | 0 – 1.11.0 | — |
| github.com | filebrowser_filebrowser_v2 | >= 0 < 2.33.7 | 2.33.7 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
filebrowser allows Stored Cross-Site Scripting through the Markdown preview function in github.com/filebrowser/filebrowser
osv·2025-07-28
CVE-2025-52902 filebrowser allows Stored Cross-Site Scripting through the Markdown preview function in github.com/filebrowser/filebrowser
filebrowser allows Stored Cross-Site Scripting through the Markdown preview function in github.com/filebrowser/filebrowser
filebrowser allows Stored Cross-Site Scripting through the Markdown preview function in github.com/filebrowser/filebrowser
GHSA
filebrowser allows Stored Cross-Site Scripting through the Markdown preview function
ghsa·2025-06-27
CVE-2025-52902 [HIGH] CWE-79 filebrowser allows Stored Cross-Site Scripting through the Markdown preview function
filebrowser allows Stored Cross-Site Scripting through the Markdown preview function
## Summary ##
The Markdown preview function of File Browser v2.32.0 is vulnerable to *Stored Cross-Site-Scripting (XSS)*. Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser
## Impact ##
A user can upload a malicious Markdown file to the application which can contain arbitrary HTML code. If another user within the same scope clicks on that file, a rendered preview is opened. JavaScript code that has been included will be executed.
Malicious actions that are possible include:
* Obtaining a user's session token
* Elevating the attacker's privileges, if the victim is an administrator (e.g., gaining command execution rights)
## Vulnerability Description
OSV
filebrowser allows Stored Cross-Site Scripting through the Markdown preview function
osv·2025-06-27
CVE-2025-52902 [HIGH] filebrowser allows Stored Cross-Site Scripting through the Markdown preview function
filebrowser allows Stored Cross-Site Scripting through the Markdown preview function
## Summary ##
The Markdown preview function of File Browser v2.32.0 is vulnerable to *Stored Cross-Site-Scripting (XSS)*. Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser
## Impact ##
A user can upload a malicious Markdown file to the application which can contain arbitrary HTML code. If another user within the same scope clicks on that file, a rendered preview is opened. JavaScript code that has been included will be executed.
Malicious actions that are possible include:
* Obtaining a user's session token
* Elevating the attacker's privileges, if the victim is an administrator (e.g., gaining command execution rights)
## Vulnerability Description
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-26
Published