CVE-2025-66403 | THREATINT

Description

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 2.2.3, a stored cross-site scripting (XSS) vulnerability exists in the Filerise application due to improper handling of uploaded SVG files. The application accepts user-supplied SVG uploads without sanitizing or restricting embedded script content. When a malicious SVG containing inline JavaScript or event-based payloads is uploaded, it is later rendered directly in the browser whenever viewed within the application. Because SVGs are XML-based and allow scripting, they execute in the origin context of the application, enabling full stored XSS. This vulnerability is fixed in 2.2.3.

PUBLISHED Reserved 2025-11-28 | Published 2025-12-01 | Updated 2025-12-02 | Assigner GitHub_M

MEDIUM: 4.6CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 2.2.3

affected

References

github.com/...leRise/security/advisories/GHSA-qrcv-vjvf-fr29

github.com/...ommit/f2ce43f18f0444f8f63f7c33758d1837dd5ba91e

cve.org (CVE-2025-66403)

nvd.nist.gov (CVE-2025-66403)

Download JSON