GHSA-MMPX-JH39-WRV6: GHSA-MMPX-JH39-WRV6: Stored Cross-Site Scripting in FileBrowser Quantum via …

1 / 2

GHSA-MMPX-JH39-WRV6: GHSA-MMPX-JH39-WRV6: Stored Cross-Site Scripting in FileBrowser Quantum via SVG Rendering

DEV Community·CVE Reports·26 days ago

#XGKTtiYZ

#security #cve #cybersecurity #ghsa #filebrowser #inline

Reading 0:00

15s threshold

GHSA-MMPX-JH39-WRV6: Stored Cross-Site Scripting in FileBrowser Quantum via SVG Rendering Vulnerability ID: GHSA-MMPX-JH39-WRV6 CVSS Score: 5.4 Published: 2026-05-07 FileBrowser Quantum versions prior to v1.3.1-stable and v1.3.9-beta are vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability manifests when the application serves user-uploaded Scalable Vector Graphics (SVG) files with the inline parameter. Due to the absence of a restrictive Content-Security-Policy (CSP) header, modern browsers execute embedded JavaScript within the application's origin context. TL;DR FileBrowser Quantum allows Stored XSS via malicious SVG files served inline due to a missing Content-Security-Policy header. Attackers can execute arbitrary JavaScript in a victim's session.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

GHSA-MMPX-JH39-WRV6: GHSA-MMPX-JH39-WRV6: Stored Cross-Site Scripting in FileBrowser Quantum via SVG Rendering