DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-MMPX-JH39-WRV6: GHSA-MMPX-JH39-WRV6: Stored Cross-Site Scripting in FileBrowser Quantum via SVG Rendering

#security #cve #cybersecurity #ghsa

GHSA-MMPX-JH39-WRV6: Stored Cross-Site Scripting in FileBrowser Quantum via SVG Rendering

Vulnerability ID: GHSA-MMPX-JH39-WRV6
CVSS Score: 5.4
Published: 2026-05-07

FileBrowser Quantum versions prior to v1.3.1-stable and v1.3.9-beta are vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability manifests when the application serves user-uploaded Scalable Vector Graphics (SVG) files with the inline parameter. Due to the absence of a restrictive Content-Security-Policy (CSP) header, modern browsers execute embedded JavaScript within the application's origin context.

TL;DR

FileBrowser Quantum allows Stored XSS via malicious SVG files served inline due to a missing Content-Security-Policy header. Attackers can execute arbitrary JavaScript in a victim's session.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Stored Cross-Site Scripting (XSS)
  • CWE ID: CWE-79, CWE-693
  • Attack Vector: Network
  • Authentication Status: Required for upload, unauthenticated for victim execution
  • Affected Component: backend/http/download.go
  • Exploit Availability: Proof of Concept available

Affected Systems

  • FileBrowser Quantum (github.com/gtsteffaniak/filebrowser)
  • FileBrowser Quantum: < v1.3.1-stable (Fixed in: v1.3.1-stable)
  • FileBrowser Quantum: < v1.3.9-beta (Fixed in: v1.3.9-beta)

Code Analysis

Commit: 6bfc397

Added Content-Security-Policy header to mitigate inline SVG XSS execution.

func setContentDisposition(w http.ResponseWriter, r *http.Request, fileName string) {
    dispositionType := "attachment"
    if r.URL.Query().Get("inline") == "true" {
        dispositionType = "inline"
+       // Inline SVG (and similar) can execute embedded scripts when opened as a top-level document; 
+       // match upstream filebrowser mitigation.
+       w.Header().Set("Content-Security-Policy", "script-src 'none'")
    }
    // ...
}
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Update FileBrowser Quantum to version v1.3.1-stable or v1.3.9-beta.
  • Configure reverse proxies to enforce a strict CSP on all file rendering endpoints.
  • Block the ?inline=true parameter via Web Application Firewall (WAF) if inline rendering is not required.

Remediation Steps:

  1. Identify the current version of FileBrowser Quantum deployed in the environment.
  2. Download the patched binary for v1.3.1-stable or v1.3.9-beta from the official repository releases.
  3. Stop the FileBrowser service.
  4. Replace the existing executable with the downloaded patched binary.
  5. Restart the service and verify that requests to file endpoints with ?inline=true return the Content-Security-Policy: script-src 'none' header.

References

Read the full report for GHSA-MMPX-JH39-WRV6 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)