CVE-2026-34529
Stored XSS in File Browser EPUB Preview Allows Script Execution
Publication date: 2026-04-01
Last updated on: 2026-04-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| filebrowser | filebrowser | to 2.62.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade File Browser to version 2.62.2 or later, where the issue has been patched.
Avoid previewing EPUB files from untrusted sources until the update is applied.
Can you explain this vulnerability to me?
The vulnerability exists in the EPUB preview function of File Browser versions prior to 2.62.2. It is a Stored Cross-Site Scripting (XSS) issue where JavaScript code embedded inside a specially crafted EPUB file executes in the browser of anyone who previews that file.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute malicious JavaScript in the context of the victim's browser when they preview a crafted EPUB file. This can lead to unauthorized actions such as stealing sensitive information, hijacking user sessions, or performing actions on behalf of the user without their consent.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows malicious JavaScript embedded in a crafted EPUB file to execute in the victim's browser, leading to theft of sensitive data such as JWT tokens, session hijacking, and privilege escalation.
This exposure of sensitive authentication tokens and potential unauthorized access could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
Therefore, if exploited, this vulnerability could compromise compliance with these standards by enabling unauthorized data access and potential data breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your File Browser instance is running a version prior to 2.62.2 and if the EPUB preview feature is enabled.
You can check the version of File Browser installed by running a command to query the version, for example:
- filebrowser --version
If the version is 2.62.1 or earlier, your system is vulnerable.
To detect exploitation attempts on your network, you can monitor for uploads of EPUB files and subsequent preview requests. Since the exploit involves uploading a crafted EPUB file containing malicious JavaScript, monitoring upload activity for EPUB files is useful.
Example commands to detect EPUB uploads in server logs (assuming logs are stored in /var/log/filebrowser.log):
- grep ".epub" /var/log/filebrowser.log
Additionally, monitoring HTTP requests for preview actions on EPUB files might help detect attempts to trigger the vulnerability.
Since the vulnerability involves JavaScript execution in the browser, network detection of the exploit payload itself is difficult without inspecting client-side behavior or logs.
The best mitigation and detection is to upgrade File Browser to version 2.62.2 or later, which disables scripted content in EPUB previews.