CVE-2026-25230
Undergoing Analysis Undergoing Analysis - In Progress

HTML Injection in FileRise WebDAV Server Allows DOM Manipulation

Vulnerability report for CVE-2026-25230, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-09

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description

FileRise is a self-hosted web file manager / WebDAV server. Prior to 3.3.0, an HTML Injection vulnerability allows an authenticated user to modify the DOM and add e.g. form elements that call certain endpoints or link elements that redirect the user on active interaction. This vulnerability is fixed in 3.3.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-09
Last Modified
2026-02-19
Generated
2026-07-06
AI Q&A
2026-02-09
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
filerise filerise to 3.3.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an HTML Injection issue in FileRise, a self-hosted web file manager and WebDAV server. Before version 3.3.0, an authenticated user could inject HTML code into the web interface, allowing them to modify the Document Object Model (DOM). This could include adding form elements that interact with certain endpoints or adding link elements that redirect users when they interact with them.

Impact Analysis

The impact of this vulnerability includes the potential for an authenticated user to manipulate the web interface in ways that could lead to unintended actions or redirections. Although it does not directly compromise confidentiality, it can affect the integrity and availability of the system by allowing injection of malicious HTML elements that could trick users into performing actions or redirect them to malicious sites.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade FileRise to version 3.3.0 or later, where the HTML Injection vulnerability has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25230. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart