CVE-2026-34529
published 2026-04-01CVE-2026-34529: File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version…
PriorityP344critical9CVSS 3.1
AVNACLPRLUIRSCCHIHAH
EPSS
0.32%
23.8th percentile
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the EPUB preview function in File Browser is vulnerable to Stored Cross-Site Scripting (XSS). JavaScript embedded in a crafted EPUB file executes in the victim's browser when they preview the file. This issue has been patched in version 2.62.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filebrowser | filebrowser | < 2.62.2 | 2.62.2 |
| github.com | filebrowser_filebrowser_v2 | >= 0 < 2.62.2 | 2.62.2 |
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
ghsa4.8MEDIUM
osv4.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file
ghsa·2026-03-31·CVSS 4.8
CVE-2026-34529 [MEDIUM] CWE-79 File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file
File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file
### Summary
The EPUB preview function in File Browser is vulnerable to Stored Cross-site Scripting (XSS). JavaScript embedded in a crafted EPUB file executes in the victim's browser when they preview the file.
### Details
`frontend/src/views/files/Preview.vue` passes `allowScriptedContent: true` to the `vue-reader` (epub.js) component:
```js
// frontend/src/views/files/Preview.vue (Line 87)
:epubOptions="{
allowPopups: true,
allowScriptedContent: true,
}"
```
epub.js renders EPUB content inside a sandboxed with srcdoc. However, the sandbox includes both allow-scripts and allow-same-origin, which [renders the sandbox ineffective](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#allow-top-navi
OSV
File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file
osv·2026-03-31·CVSS 4.8
CVE-2026-34529 [MEDIUM] File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file
File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file
### Summary
The EPUB preview function in File Browser is vulnerable to Stored Cross-site Scripting (XSS). JavaScript embedded in a crafted EPUB file executes in the victim's browser when they preview the file.
### Details
`frontend/src/views/files/Preview.vue` passes `allowScriptedContent: true` to the `vue-reader` (epub.js) component:
```js
// frontend/src/views/files/Preview.vue (Line 87)
:epubOptions="{
allowPopups: true,
allowScriptedContent: true,
}"
```
epub.js renders EPUB content inside a sandboxed with srcdoc. However, the sandbox includes both allow-scripts and allow-same-origin, which [renders the sandbox ineffective](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#allow-top-navi
No detection rules found.
No public exploits indexed.
2026-04-01
Published