CVE-2026-25230

Sažetak

FileRise is a self-hosted web file manager / WebDAV server. Prior to 3.3.0, an HTML Injection vulnerability allows an authenticated user to modify the DOM and add e.g. form elements that call certain endpoints or link elements that redirect the user on active interaction. This vulnerability is fixed in 3.3.0.

Reference

https://github.com/error311/FileRise/blob/7fee135a5b8feb25558aba0474bd6bb53943fc88/src/controllers/FileController.php#L4016-L4058
https://github.com/error311/FileRise/blob/7fee135a5b8feb25558aba0474bd6bb53943fc88/src/models/FileModel.php#L3146
https://github.com/error311/FileRise/releases/tag/v3.3.0
https://github.com/error311/FileRise/security/advisories/GHSA-h8fw-42v6-gfhv

CVSS

Base:	4.6
Impact:	2.5
Exploitability:	2.1

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	LOW	LOW

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

Zadnje važnije ažuriranje

09-02-2026 - 21:55

Objavljeno

09-02-2026 - 20:15