GHSA-MMPX-JH39-WRV6
Vulnerability from github – Published: 2026-05-07 03:29 – Updated: 2026-05-07 03:29
VLAI?
Summary
FileBrowser Vulnerable to Stored XSS via SVG File in Public Share (Missing CSP Header)
Details
Summary
FileBrowser Quantum serves inline SVG files without a Content-Security-Policy header, allowing embedded JavaScript in SVG files to execute when accessed via public share links.
Verified on v1.3.0-stable.
Affected product
- Product: FileBrowser Quantum (
gtsteffaniak/filebrowser) - Verified version: v1.3.0-stable
- Docker image: gtstef/filebrowser:latest
- Affected endpoint:
GET /public/api/resources/download?hash=HASH&inline=true - CWE: CWE-79 — Cross-site Scripting (Stored)
Impact
- Stored XSS — Malicious SVG persists and executes for every visitor to the share link
- No authentication required to trigger — Public share links are accessible to anyone
- Session hijacking — If authenticated users click the link, their session can be stolen
- Phishing — Attacker can redirect or overlay fake login forms
Reproduction
- Login as any user with upload permission
- Upload SVG file:
xml <svg xmlns="http://www.w3.org/2000/svg"> <script>alert(document.domain)</script> </svg> - Create public share for the file
- Access the share link with
?inline=true - JavaScript executes in browser
Root cause
The inline download endpoint returns SVG files with:
Content-Type: image/svg+xml
Content-Disposition: inline; filename="xss.svg"
X-Content-Type-Options: nosniff
But no CSP header to block script execution. The upstream project (filebrowser/filebrowser) mitigates this with:
Content-Security-Policy: script-src 'none'
Suggested fix
Add CSP header on inline file downloads:
w.Header().Set("Content-Security-Policy", "script-src 'none'")
This matches the upstream filebrowser/filebrowser implementation.
Severity ?
5.4 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gtsteffaniak/filebrowser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260501184955-6bfc3974192e"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T03:29:43Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nFileBrowser Quantum serves inline SVG files without a `Content-Security-Policy` header, allowing embedded JavaScript in SVG files to execute when accessed via public share links.\n\nVerified on v1.3.0-stable.\n\n## Affected product\n\n- **Product:** FileBrowser Quantum (`gtsteffaniak/filebrowser`)\n- **Verified version:** v1.3.0-stable\n- **Docker image:** gtstef/filebrowser:latest\n- **Affected endpoint:** `GET /public/api/resources/download?hash=HASH\u0026inline=true`\n- **CWE:** CWE-79 \u2014 Cross-site Scripting (Stored)\n\n## Impact\n\n- **Stored XSS** \u2014 Malicious SVG persists and executes for every visitor to the share link\n- **No authentication required to trigger** \u2014 Public share links are accessible to anyone\n- **Session hijacking** \u2014 If authenticated users click the link, their session can be stolen\n- **Phishing** \u2014 Attacker can redirect or overlay fake login forms\n\n## Reproduction\n\n1. Login as any user with upload permission\n2. Upload SVG file:\n ```xml\n \u003csvg xmlns=\"http://www.w3.org/2000/svg\"\u003e\n \u003cscript\u003ealert(document.domain)\u003c/script\u003e\n \u003c/svg\u003e\n ```\n3. Create public share for the file\n4. Access the share link with `?inline=true`\n5. JavaScript executes in browser\n\n## Root cause\n\nThe inline download endpoint returns SVG files with:\n```\nContent-Type: image/svg+xml\nContent-Disposition: inline; filename=\"xss.svg\"\nX-Content-Type-Options: nosniff\n```\n\nBut no CSP header to block script execution. The upstream project (filebrowser/filebrowser) mitigates this with:\n```\nContent-Security-Policy: script-src \u0027none\u0027\n```\n\n## Suggested fix\n\nAdd CSP header on inline file downloads:\n\n```go\nw.Header().Set(\"Content-Security-Policy\", \"script-src \u0027none\u0027\")\n```\n\nThis matches the upstream filebrowser/filebrowser implementation.",
"id": "GHSA-mmpx-jh39-wrv6",
"modified": "2026-05-07T03:29:43Z",
"published": "2026-05-07T03:29:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-mmpx-jh39-wrv6"
},
{
"type": "WEB",
"url": "https://github.com/gtsteffaniak/filebrowser/commit/6bfc3974192e954f71cc5d1cd04baaaec3b76383"
},
{
"type": "PACKAGE",
"url": "https://github.com/gtsteffaniak/filebrowser"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "FileBrowser Vulnerable to Stored XSS via SVG File in Public Share (Missing CSP Header)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…