CVE

CVE-2025-68116

FileRise vulnerable to Cross-Site Scripting (XSS) in SVG File Handling

CVE

CVE-2025-68116

FileRise vulnerable to Cross-Site Scripting (XSS) in SVG File Handling

FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 2.7.1 are vulnerable to Stored Cross-Site Scripting (XSS) due to unsafe handling of browser-renderable user uploads when served through the sharing and download endpoints. An attacker who can get a crafted SVG (primary) or HTML (secondary) file stored in a FileRise instance can cause JavaScript execution when a victim opens a generated share link (and in some cases via the direct download endpoint). This impacts share links (/api/file/share.php) and direct file access / download path (/api/file/download.php), depending on browser/content-type behavior. Version 2.7.1 fixes the issue.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

8.9

3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68116.json, https://github.com/error311/FileRise/security/advisories/GHSA-35pp-ggh6-c59c, https://nvd.nist.gov/vuln/detail/CVE-2025-68116

Severity

8.9

CVSS Score

Basic Information

Ecosystem

Base CVSS

8.9

EPSS Probability

0.00039%

EPSS Percentile

0.11425%

Introduced Version

Fix Available

0ad340942b268c31197aa140b2c3daa16921ec88

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2025-68116

CVE-2025-68116

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

8.9

Basic Information

Fix Critical Vulnerabilities Instantly