CVE-2025-68116

Name of the Vulnerable Software and Affected Versions FileRise versions prior to 2.7.1

Description FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 2.7.1 are susceptible to Stored Cross-Site Scripting (XSS) because of unsafe handling of browser-renderable user uploads when served through the sharing and download endpoints. An attacker who can upload a crafted SVG or HTML file to a FileRise instance can cause JavaScript execution when a victim opens a generated share link or, in some cases, via the direct download endpoint. The issue impacts share links at the /api/file/share.php endpoint and direct file access / download path at the /api/file/download.php endpoint.

Recommendations Update FileRise to version 2.7.1 or later.