{"vulnerability": "GHSA-MMPX-JH39-WRV6", "sightings": [{"uuid": "dfc4b1a1-42ee-4409-8095-c4f6903c48f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-MMPX-JH39-WRV6", "type": "seen", "source": "https://gist.github.com/alon710/14822427e82604da5dce18ab5080ddb7", "content": "# GHSA-MMPX-JH39-WRV6: GHSA-MMPX-JH39-WRV6: Stored Cross-Site Scripting in FileBrowser Quantum via SVG Rendering\n\n> **CVSS Score:** 5.4\n> **Published:** 2026-05-07\n> **Full Report:** https://cvereports.com/reports/GHSA-MMPX-JH39-WRV6\n\n## Summary\nFileBrowser Quantum versions prior to v1.3.1-stable and v1.3.9-beta are vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability manifests when the application serves user-uploaded Scalable Vector Graphics (SVG) files with the `inline` parameter. Due to the absence of a restrictive Content-Security-Policy (CSP) header, modern browsers execute embedded JavaScript within the application's origin context.\n\n## TL;DR\nFileBrowser Quantum allows Stored XSS via malicious SVG files served inline due to a missing Content-Security-Policy header. Attackers can execute arbitrary JavaScript in a victim's session.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **Vulnerability Type**: Stored Cross-Site Scripting (XSS)\n- **CWE ID**: CWE-79, CWE-693\n- **Attack Vector**: Network\n- **Authentication Status**: Required for upload, unauthenticated for victim execution\n- **Affected Component**: backend/http/download.go\n- **Exploit Availability**: Proof of Concept available\n\n## Affected Systems\n\n- FileBrowser Quantum (github.com/gtsteffaniak/filebrowser)\n- **FileBrowser Quantum**: < v1.3.1-stable (Fixed in: `v1.3.1-stable`)\n- **FileBrowser Quantum**: < v1.3.9-beta (Fixed in: `v1.3.9-beta`)\n\n## Mitigation\n\n- Update FileBrowser Quantum to version v1.3.1-stable or v1.3.9-beta.\n- Configure reverse proxies to enforce a strict CSP on all file rendering endpoints.\n- Block the `?inline=true` parameter via Web Application Firewall (WAF) if inline rendering is not required.\n\n**Remediation Steps:**\n1. Identify the current version of FileBrowser Quantum deployed in the environment.\n2. Download the patched binary for v1.3.1-stable or v1.3.9-beta from the official repository releases.\n3. Stop the FileBrowser service.\n4. Replace the existing executable with the downloaded patched binary.\n5. Restart the service and verify that requests to file endpoints with `?inline=true` return the `Content-Security-Policy: script-src 'none'` header.\n\n## References\n\n- [GitHub Advisory GHSA-mmpx-jh39-wrv6](https://github.com/advisories/GHSA-MMPX-JH39-WRV6)\n- [Fix Commit in gtsteffaniak/filebrowser](https://github.com/gtsteffaniak/filebrowser/commit/6bfc3974192e954f71cc5d1cd04baaaec3b76383)\n- [Project Releases Page](https://github.com/gtsteffaniak/filebrowser/releases)\n- [Go Vulnerability Database Entry](https://pkg.go.dev/vuln/GHSA-mmpx-jh39-wrv6)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-MMPX-JH39-WRV6) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-07T03:40:29.000000Z"}]}