{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/filebrowser/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-35604"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["filebrowser","authorization-bypass","github-advisory","cve-2026-35604"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFile Browser versions prior to 2.63.1 contain an authorization bypass vulnerability. Specifically, when an administrator revokes a user\u0026rsquo;s share and download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The vulnerability exists because the public share download handler (\u003ccode\u003ehttp/public.go\u003c/code\u003e) does not re-check the share owner\u0026rsquo;s current permissions when serving shared files. This can lead to unauthorized data access and a false sense of security for administrators who believe that revoking permissions immediately terminates access to shared resources. The issue was verified against version 2.62.2 (commit 860c19d).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn administrator creates a user account with Share and Download permissions.\u003c/li\u003e\n\u003cli\u003eThe user logs in and creates a share link for a file (e.g., \u003ccode\u003esecret.txt\u003c/code\u003e). The system generates a hash (e.g., \u003ccode\u003efB4Qwtsn\u003c/code\u003e) associated with the share.\u003c/li\u003e\n\u003cli\u003eAn unauthenticated user accesses the file via the share link (e.g., \u003ccode\u003e/api/public/dl/fB4Qwtsn\u003c/code\u003e), successfully downloading the content.\u003c/li\u003e\n\u003cli\u003eThe administrator revokes the user\u0026rsquo;s Share and Download permissions via the API, modifying the user\u0026rsquo;s record in the system.\u003c/li\u003e\n\u003cli\u003eThe revoked user attempts to create a new share link and is correctly denied access (403 Forbidden).\u003c/li\u003e\n\u003cli\u003eAn unauthenticated user attempts to access the file using the previously created share link (e.g., \u003ccode\u003e/api/public/dl/fB4Qwtsn\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe system retrieves the share link information but fails to validate if the original user still possesses Share and Download permissions.\u003c/li\u003e\n\u003cli\u003eThe system serves the file, bypassing the intended authorization restrictions and granting unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows unauthorized access to files shared through File Browser, even after an administrator has revoked the share creator\u0026rsquo;s permissions. This can result in data breaches, as users who should no longer have access to shared resources can still retrieve them via existing share links. The administrator may believe that revoking permissions immediately stops all sharing, leading to a false sense of security. This is particularly impactful in environments where sensitive data is shared via File Browser and access control is critical.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade File Browser to version 2.63.1 or later to patch CVE-2026-35604.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for access to \u003ccode\u003e/api/public/dl/*\u003c/code\u003e endpoints (logsource: webserver, product: linux/windows) after revoking user permissions; correlate with user permission changes.\u003c/li\u003e\n\u003cli\u003eImplement the suggested fix by adding permission re-validation in \u003ccode\u003ewithHashFile\u003c/code\u003e as described in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T00:04:59Z","date_published":"2026-04-08T00:04:59Z","id":"/briefs/2026-04-filebrowser-share-bypass/","summary":"File Browser share links remain accessible after Share/Download permissions are revoked, allowing continued access to shared files even after an administrator revokes the user's permissions.","title":"File Browser Share Links Accessible After Permission Revocation","url":"https://feed.craftedsignal.io/briefs/2026-04-filebrowser-share-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["xss","filebrowser","cve-2026-34529"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFile Browser is a file management interface used for uploading, deleting, previewing, renaming, and editing files. A stored XSS vulnerability, identified as CVE-2026-34529, exists within the EPUB preview functionality of File Browser versions prior to 2.62.2. An attacker can exploit this vulnerability by crafting a malicious EPUB file containing embedded JavaScript. When a user previews the malicious EPUB file through the File Browser interface, the embedded JavaScript executes within their browser, potentially leading to session hijacking, defacement, or redirection to malicious websites. This vulnerability has been addressed in File Browser version 2.62.2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious EPUB file containing embedded JavaScript designed for XSS exploitation.\u003c/li\u003e\n\u003cli\u003eAttacker uploads the malicious EPUB file to a File Browser instance. This could be achieved if the attacker has write access to the file system, via compromised credentials or anonymous upload functionality (if enabled).\u003c/li\u003e\n\u003cli\u003eA legitimate user, with access to the File Browser, navigates to the directory containing the malicious EPUB file.\u003c/li\u003e\n\u003cli\u003eThe user previews the EPUB file using the File Browser\u0026rsquo;s built-in preview function.\u003c/li\u003e\n\u003cli\u003eThe File Browser processes the EPUB file, triggering the vulnerable code in the EPUB preview functionality.\u003c/li\u003e\n\u003cli\u003eThe embedded JavaScript within the EPUB file executes in the user\u0026rsquo;s browser in the context of the File Browser application.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s JavaScript payload can then perform actions such as stealing cookies, redirecting the user, or defacing the File Browser interface.\u003c/li\u003e\n\u003cli\u003eThe attacker can use the stolen cookies to impersonate the user or further compromise the File Browser instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user\u0026rsquo;s browser. This can lead to session hijacking, where an attacker steals a user\u0026rsquo;s session cookie and impersonates them, potentially gaining unauthorized access to sensitive files and system resources. Further consequences include defacement of the File Browser interface, redirection of users to malicious websites, and potentially further compromise of the server hosting the File Browser application depending on the permissions of the compromised user account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade File Browser instances to version 2.62.2 or later to patch the XSS vulnerability (CVE-2026-34529).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on file uploads to prevent the injection of malicious code.\u003c/li\u003e\n\u003cli\u003eConsider deploying a Content Security Policy (CSP) to restrict the execution of JavaScript from untrusted sources.\u003c/li\u003e\n\u003cli\u003eEnable logging on the webserver hosting File Browser to capture details of requests for EPUB files, which can be used to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T21:17:00Z","date_published":"2026-04-01T21:17:00Z","id":"/briefs/2026-04-filebrowser-xss/","summary":"File Browser versions prior to 2.62.2 are vulnerable to stored cross-site scripting (XSS) via the EPUB preview function, allowing attackers to execute arbitrary JavaScript in a user's browser by embedding malicious code in a crafted EPUB file.","title":"File Browser EPUB Preview Stored XSS Vulnerability (CVE-2026-34529)","url":"https://feed.craftedsignal.io/briefs/2026-04-filebrowser-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":4.8,"id":"CVE-2024-35236"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["filebrowser","xss","epub","cve-2026-34529"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFile Browser, a web-based file management application, is susceptible to stored XSS attacks in versions 2.62.1 and earlier. The vulnerability stems from the application\u0026rsquo;s EPUB preview functionality, which allows scripted content (\u003ccode\u003eallowScriptedContent: true\u003c/code\u003e) to execute within an iframe.  The iframe\u0026rsquo;s sandbox is misconfigured, including both \u003ccode\u003eallow-scripts\u003c/code\u003e and \u003ccode\u003eallow-same-origin\u003c/code\u003e, effectively bypassing the intended security restrictions. An attacker can upload a specially crafted EPUB file containing malicious JavaScript code. When a user previews the file, the embedded JavaScript executes in their browser, enabling session hijacking via JWT token theft, data exfiltration, and potential privilege escalation if the victim is an administrator.  This vulnerability is similar to CVE-2024-35236 found in audiobookshelf, highlighting a recurring pattern of insecure EPUB handling.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious EPUB file containing embedded JavaScript designed to steal JWT tokens and exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the File Browser application with a valid, potentially low-privilege, user account.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious EPUB file to the File Browser server via the \u003ccode\u003e/api/resources\u003c/code\u003e endpoint, potentially overwriting existing files using the \u003ccode\u003eoverride=true\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe server stores the malicious EPUB file.\u003c/li\u003e\n\u003cli\u003eA victim, potentially an administrator, views the uploaded EPUB file through the File Browser\u0026rsquo;s web interface, triggering the EPUB preview function.\u003c/li\u003e\n\u003cli\u003eThe application renders the EPUB file within an iframe. Due to the \u003ccode\u003eallowScriptedContent\u003c/code\u003e setting and misconfigured sandbox, the embedded JavaScript executes.\u003c/li\u003e\n\u003cli\u003eThe JavaScript steals the victim\u0026rsquo;s JWT token from \u003ccode\u003ewindow.parent.localStorage\u003c/code\u003e and exfiltrates it to an attacker-controlled server (\u003ccode\u003ehttps://attacker.example/?stolen=\u003c/code\u003e). It may also attempt to gather additional information, such as the victim\u0026rsquo;s public IP address by requesting \u003ccode\u003ehttps://ifconfig.me/ip\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen JWT token to hijack the victim\u0026rsquo;s session, potentially gaining administrative privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability allows attackers to steal JWT tokens, leading to full session hijacking and potential privilege escalation. A low-privilege user with upload permissions can compromise administrator accounts. This can lead to unauthorized access to sensitive files, data exfiltration, and modification or deletion of critical data. The vulnerability affects File Browser instances version 2.62.1 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patches or upgrade File Browser to a version greater than 2.62.1 to mitigate CVE-2026-34529.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect File Browser EPUB XSS Attempt\u003c/code\u003e to identify potential exploitation attempts by monitoring for network connections to \u003ccode\u003eifconfig.me\u003c/code\u003e originating from the File Browser application.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect File Browser JWT Exfiltration\u003c/code\u003e to detect potential exfiltration of JWT tokens by monitoring network connections to \u003ccode\u003eattacker.example\u003c/code\u003e with a \u003ccode\u003estolen\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eDisable EPUB preview functionality or sanitize EPUB files before rendering them to prevent the execution of malicious scripts. This addresses the root cause by preventing attacker-controlled JavaScript execution.\u003c/li\u003e\n\u003cli\u003eReview and harden the iframe sandbox configuration used for EPUB previews to restrict access to sensitive resources and prevent script execution, if preview functionality cannot be disabled.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T23:44:36Z","date_published":"2026-03-31T23:44:36Z","id":"/briefs/2024-07-filebrowser-xss/","summary":"File Browser version 2.62.1 and earlier is vulnerable to stored cross-site scripting (XSS) via crafted EPUB files, allowing attackers to execute arbitrary JavaScript in a victim's browser by exploiting the application's misconfigured iframe sandbox and stealing sensitive information like JWT tokens.","title":"File Browser Stored XSS via Crafted EPUB File","url":"https://feed.craftedsignal.io/briefs/2024-07-filebrowser-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Filebrowser","version":"https://jsonfeed.org/version/1.1"}