CVE-2025-68116 HIGH

CVE-2025-68116: FileRise vulnerable to Cross-Site Scripting (XSS) in SVG File Handling

Vendor Error311
Product FileRise
Weakness CWE-79 · XSS
Published December 16, 2025
Last update December 16, 2025
View on NVD All CVEs

CVSS base score

8.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

What the vulnerability does

01Description

FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 2.7.1 are vulnerable to Stored Cross-Site Scripting (XSS) due to unsafe handling of browser-renderable user uploads when served through the sharing and download endpoints. An attacker who can get a crafted SVG (primary) or HTML (secondary) file stored in a FileRise instance can cause JavaScript execution when a victim opens a generated share link (and in some cases via the direct download endpoint). This impacts share links (`/api/file/share.php`) and direct file access / download path (`/api/file/download.php`), depending on browser/content-type behavior. Version 2.7.1 fixes the issue.

Key dates

02Disclosure timeline

December 16, 2025 CVE published
December 16, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-12299 code-projects Simple Food Ordering System addproduct.php cross site scripting CVE-2025-46926 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2024-4516 Campcodes Complete Web-Based School Management System timetable.php cross site scripting CVE-2023-39919 WordPress wpShopGermany – Protected Shops Plugin <= 2.0 is vulnerable to Cross Site Scripting (XSS) CVE-2024-27992 WordPress Link Whisper Free plugin <= 0.6.8 - Reflected Cross Site Scripting (XSS) vulnerability