Filebrowser — CraftedSignal Threat Feed

File Browser Share Links Accessible After Permission Revocation

hello@craftedsignal.io — Wed, 08 Apr 2026 00:04:59 +0000

File Browser versions prior to 2.63.1 contain an authorization bypass vulnerability. Specifically, when an administrator revokes a user’s share and download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The vulnerability exists because the public share download handler (http/public.go) does not re-check the share owner’s current permissions when serving shared files. This can lead to unauthorized data access and a false sense of security for administrators who believe that revoking permissions immediately terminates access to shared resources. The issue was verified against version 2.62.2 (commit 860c19d).

Attack Chain

An administrator creates a user account with Share and Download permissions.
The user logs in and creates a share link for a file (e.g., secret.txt). The system generates a hash (e.g., fB4Qwtsn) associated with the share.
An unauthenticated user accesses the file via the share link (e.g., /api/public/dl/fB4Qwtsn), successfully downloading the content.
The administrator revokes the user’s Share and Download permissions via the API, modifying the user’s record in the system.
The revoked user attempts to create a new share link and is correctly denied access (403 Forbidden).
An unauthenticated user attempts to access the file using the previously created share link (e.g., /api/public/dl/fB4Qwtsn).
The system retrieves the share link information but fails to validate if the original user still possesses Share and Download permissions.
The system serves the file, bypassing the intended authorization restrictions and granting unauthorized access.

Impact

The vulnerability allows unauthorized access to files shared through File Browser, even after an administrator has revoked the share creator’s permissions. This can result in data breaches, as users who should no longer have access to shared resources can still retrieve them via existing share links. The administrator may believe that revoking permissions immediately stops all sharing, leading to a false sense of security. This is particularly impactful in environments where sensitive data is shared via File Browser and access control is critical.

Recommendation

Upgrade File Browser to version 2.63.1 or later to patch CVE-2026-35604.
Monitor web server logs for access to /api/public/dl/* endpoints (logsource: webserver, product: linux/windows) after revoking user permissions; correlate with user permission changes.
Implement the suggested fix by adding permission re-validation in withHashFile as described in the advisory.

File Browser EPUB Preview Stored XSS Vulnerability (CVE-2026-34529)

hello@craftedsignal.io — Wed, 01 Apr 2026 21:17:00 +0000

File Browser is a file management interface used for uploading, deleting, previewing, renaming, and editing files. A stored XSS vulnerability, identified as CVE-2026-34529, exists within the EPUB preview functionality of File Browser versions prior to 2.62.2. An attacker can exploit this vulnerability by crafting a malicious EPUB file containing embedded JavaScript. When a user previews the malicious EPUB file through the File Browser interface, the embedded JavaScript executes within their browser, potentially leading to session hijacking, defacement, or redirection to malicious websites. This vulnerability has been addressed in File Browser version 2.62.2.

Attack Chain

Attacker crafts a malicious EPUB file containing embedded JavaScript designed for XSS exploitation.
Attacker uploads the malicious EPUB file to a File Browser instance. This could be achieved if the attacker has write access to the file system, via compromised credentials or anonymous upload functionality (if enabled).
A legitimate user, with access to the File Browser, navigates to the directory containing the malicious EPUB file.
The user previews the EPUB file using the File Browser’s built-in preview function.
The File Browser processes the EPUB file, triggering the vulnerable code in the EPUB preview functionality.
The embedded JavaScript within the EPUB file executes in the user’s browser in the context of the File Browser application.
The attacker’s JavaScript payload can then perform actions such as stealing cookies, redirecting the user, or defacing the File Browser interface.
The attacker can use the stolen cookies to impersonate the user or further compromise the File Browser instance.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user’s browser. This can lead to session hijacking, where an attacker steals a user’s session cookie and impersonates them, potentially gaining unauthorized access to sensitive files and system resources. Further consequences include defacement of the File Browser interface, redirection of users to malicious websites, and potentially further compromise of the server hosting the File Browser application depending on the permissions of the compromised user account.

Recommendation

Upgrade File Browser instances to version 2.62.2 or later to patch the XSS vulnerability (CVE-2026-34529).
Implement input validation and sanitization on file uploads to prevent the injection of malicious code.
Consider deploying a Content Security Policy (CSP) to restrict the execution of JavaScript from untrusted sources.
Enable logging on the webserver hosting File Browser to capture details of requests for EPUB files, which can be used to detect exploitation attempts.

File Browser Stored XSS via Crafted EPUB File

hello@craftedsignal.io — Tue, 31 Mar 2026 23:44:36 +0000

File Browser, a web-based file management application, is susceptible to stored XSS attacks in versions 2.62.1 and earlier. The vulnerability stems from the application’s EPUB preview functionality, which allows scripted content (allowScriptedContent: true) to execute within an iframe. The iframe’s sandbox is misconfigured, including both allow-scripts and allow-same-origin, effectively bypassing the intended security restrictions. An attacker can upload a specially crafted EPUB file containing malicious JavaScript code. When a user previews the file, the embedded JavaScript executes in their browser, enabling session hijacking via JWT token theft, data exfiltration, and potential privilege escalation if the victim is an administrator. This vulnerability is similar to CVE-2024-35236 found in audiobookshelf, highlighting a recurring pattern of insecure EPUB handling.

Attack Chain

An attacker crafts a malicious EPUB file containing embedded JavaScript designed to steal JWT tokens and exfiltrate data.
The attacker authenticates to the File Browser application with a valid, potentially low-privilege, user account.
The attacker uploads the malicious EPUB file to the File Browser server via the /api/resources endpoint, potentially overwriting existing files using the override=true parameter.
The server stores the malicious EPUB file.
A victim, potentially an administrator, views the uploaded EPUB file through the File Browser’s web interface, triggering the EPUB preview function.
The application renders the EPUB file within an iframe. Due to the allowScriptedContent setting and misconfigured sandbox, the embedded JavaScript executes.
The JavaScript steals the victim’s JWT token from window.parent.localStorage and exfiltrates it to an attacker-controlled server (https://attacker.example/?stolen=). It may also attempt to gather additional information, such as the victim’s public IP address by requesting https://ifconfig.me/ip.
The attacker uses the stolen JWT token to hijack the victim’s session, potentially gaining administrative privileges.

Impact

Successful exploitation of this XSS vulnerability allows attackers to steal JWT tokens, leading to full session hijacking and potential privilege escalation. A low-privilege user with upload permissions can compromise administrator accounts. This can lead to unauthorized access to sensitive files, data exfiltration, and modification or deletion of critical data. The vulnerability affects File Browser instances version 2.62.1 and earlier.

Recommendation

Apply patches or upgrade File Browser to a version greater than 2.62.1 to mitigate CVE-2026-34529.
Deploy the Sigma rule Detect File Browser EPUB XSS Attempt to identify potential exploitation attempts by monitoring for network connections to ifconfig.me originating from the File Browser application.
Deploy the Sigma rule Detect File Browser JWT Exfiltration to detect potential exfiltration of JWT tokens by monitoring network connections to attacker.example with a stolen parameter.
Disable EPUB preview functionality or sanitize EPUB files before rendering them to prevent the execution of malicious scripts. This addresses the root cause by preventing attacker-controlled JavaScript execution.
Review and harden the iframe sandbox configuration used for EPUB previews to restrict access to sensitive resources and prevent script execution, if preview functionality cannot be disabled.