CVE-2026-1466
Unknown Unknown - Not Provided
MIME Sniffing Bypass in Jirafeau Enables Cross-Site Scripting

Publication date: 2026-01-28

Last updated on: 2026-02-12

Assigner: GitLab Inc.

Description
Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110, CVE-2024-12326 and CVE-2025-7066), video and audio. However, it was possible to bypass this check by sending a manipulated HTTP request with an invalid MIME type like image. When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled by sending the HTTP header X-Content-Type-Options: nosniff.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-28
Last Modified
2026-02-12
Generated
2026-05-07
AI Q&A
2026-01-29
EPSS Evaluated
2026-05-05
NVD
CVE-2026-1466
EUVD
EUVD-2026-4867
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jirafeau jirafeau to 4.7.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Jirafeau allows an attacker to bypass the MIME type check that normally prevents browser preview of text files, such as SVG and HTML, which could be exploited for cross-site scripting (XSS). By sending a manipulated HTTP request with an invalid MIME type like 'image.', the browser attempts to auto-detect the MIME type and may incorrectly identify it as SVG, potentially executing malicious JavaScript code. This occurs because MIME sniffing is not properly disabled.


How can this vulnerability impact me? :

The vulnerability can lead to cross-site scripting (XSS) attacks, where malicious JavaScript code is executed in the context of the victim's browser. This can result in unauthorized actions, data theft, or session hijacking. Since the vulnerability allows bypassing MIME type restrictions, it increases the risk of executing harmful scripts when previewing files in the browser.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by inspecting HTTP responses from the Jirafeau server to check if the header 'X-Content-Type-Options: nosniff' is missing. For example, use the command: curl -I http://<jirafeau-server>/file to see if the header is present. If the header is absent, the system may be vulnerable to MIME sniffing attacks as described.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure that the HTTP header 'X-Content-Type-Options: nosniff' is sent by the Jirafeau server to disable MIME sniffing. This prevents browsers from automatically detecting MIME types and executing potentially malicious scripts embedded in files. Additionally, verify that MIME type checks are properly enforced and that manipulated MIME types like 'image.' are not accepted for browser preview.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart