CVE-2025-52902Cross-site Scripting in Filebrowser

CWE-79Cross-site ScriptingCWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)5 documents4 sources
Severity
5.4MEDIUMNVD
CNA7.6
EPSS
0.0%
top 86.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
FilebrowserGithub.com Filebrowser Filebrowser V2Github.com Filebrowser Filebrowser
Timeline
PublishedJun 26
Latest updateJul 28

Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The Markdown preview function of File Browser prior to v2.33.7 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser. Version 2.33.7 contains a fix for the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

CVEListV5filebrowser/filebrowser< 2.33.7

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
filebrowser allows Stored Cross-Site Scripting through the Markdown preview function in github.com/filebrowser/filebrowser2025-07-28
GHSA
filebrowser allows Stored Cross-Site Scripting through the Markdown preview function2025-06-27
OSV
filebrowser allows Stored Cross-Site Scripting through the Markdown preview function2025-06-27
CVEList
File Browser has Stored Cross-Site Scripting vulnerability2025-06-26
CVE-2025-52902 — Cross-site Scripting in Filebrowser | cvebase