MeldSecurity
Press Enter to search
CVE Database & Search →
Sign In Get Started

CVE-2025-68116

🔴 HIGH

FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 2.7.1 are vulnerable to Stored Cross-Site Scripting (XSS) due to unsafe handling of browser-renderable user uploads when s...

Published
Dec 16, 2025
Last Modified
Dec 18, 2025
Views
21
Bookmarks
0

Description

Request Expert Review

FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 2.7.1 are vulnerable to Stored Cross-Site Scripting (XSS) due to unsafe handling of browser-renderable user uploads when served through the sharing and download endpoints. An attacker who can get a crafted SVG (primary) or HTML (secondary) file stored in a FileRise instance can cause JavaScript execution when a victim opens a generated share link (and in some cases via the direct download endpoint). This impacts share links (`/api/file/share.php`) and direct file access / download path (`/api/file/download.php`), depending on browser/content-type behavior. Version 2.7.1 fixes the issue.

CVSS Scores

CVSS 3.1 8.9
8.9
HIGH
CVSS 2.0 8.9

References

github.com

Additional Information

Source
security-advisories@github.com
State
Undergoing analysis

Related CVEs

CVE-2025-67847

HIGH

A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to ins...

Score: 8.8

CVE-2025-3839

HIGH

A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be...

Score: 8.0

CVE-2025-15522

MEDIUM

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scrip...

Score: 6.4

CVE-2026-0796

HIGH

ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitra...

Score: 7.2

CVE-2026-0795

HIGH

ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitra...

Score: 7.2

CVE-2026-0794

HIGH

ALGO 8180 IP Audio Alerter SIP Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary cod...

Score: 8.1

Share CVE-2025-68116

Share on Social Media

Copy Link

Embed Code

Request Expert Analysis

Request a professional security analysis for CVE-2025-68116 from our verified experts.

Credits System

Use your credits to get expert analysis from verified security professionals. Purchase more credits anytime!

Add 3 credits for accelerated delivery

Base Cost: 8 credits
Priority Upgrade: + credits
SLA Acceleration: +3 credits
Total Cost:
Your Balance:

Insufficient Credits

You need more credits to submit this request.

Buy Credits

Report Analysis