CVE-2026-34529

Name of the Vulnerable Software and Affected Versions File Browser versions prior to 2.62.2

Description File Browser's EPUB preview function is susceptible to Stored Cross-Site Scripting (XSS). A crafted EPUB file containing JavaScript can execute in a victim's browser when the file is previewed. The issue stems from the frontend/src/views/files/Preview.vue component passing allowScriptedContent: true to the vue-reader component, which, combined with allow-scripts and allow-same-origin in the iframe sandbox, renders the sandbox ineffective, allowing the script to access the parent frame's DOM and storage. The developers of epub.js explicitly warn against enabling scripted content. A proof-of-concept (PoC) demonstrates the ability to steal JWT tokens and exfiltrate a victim's public IP address. The vulnerability could lead to session hijacking and privilege escalation for users with upload access.

Recommendations Update File Browser to version 2.62.2 or later.