PT-2026-41532 · Go · Github.Com/Gtsteffaniak/Filebrowser
Published
2026-05-07
·
Updated
2026-05-07
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Summary
FileBrowser Quantum serves inline SVG files without a
Content-Security-Policy header, allowing embedded JavaScript in SVG files to execute when accessed via public share links.Verified on v1.3.0-stable.
Affected product
- Product: FileBrowser Quantum (
gtsteffaniak/filebrowser) - Verified version: v1.3.0-stable
- Docker image: gtstef/filebrowser:latest
- Affected endpoint:
GET /public/api/resources/download?hash=HASH&inline=true - CWE: CWE-79 — Cross-site Scripting (Stored)
Impact
- Stored XSS — Malicious SVG persists and executes for every visitor to the share link
- No authentication required to trigger — Public share links are accessible to anyone
- Session hijacking — If authenticated users click the link, their session can be stolen
- Phishing — Attacker can redirect or overlay fake login forms
Reproduction
- Login as any user with upload permission
- Upload SVG file:
xml
<svg xmlns="http://www.w3.org/2000/svg">
<script>alert(document.domain)</script>
</svg>- Create public share for the file
- Access the share link with
?inline=true - JavaScript executes in browser
Root cause
The inline download endpoint returns SVG files with:
Content-Type: image/svg+xml
Content-Disposition: inline; filename="xss.svg"
X-Content-Type-Options: nosniffBut no CSP header to block script execution. The upstream project (filebrowser/filebrowser) mitigates this with:
Content-Security-Policy: script-src 'none'Suggested fix
Add CSP header on inline file downloads:
go
w.Header().Set("Content-Security-Policy", "script-src 'none'")This matches the upstream filebrowser/filebrowser implementation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Gtsteffaniak/Filebrowser