Description

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 2.2.3, a stored cross-site scripting (XSS) vulnerability exists in the Filerise application due to improper handling of uploaded SVG files. The application accepts user-supplied SVG uploads without sanitizing or restricting embedded script content. When a malicious SVG containing inline JavaScript or event-based payloads is uploaded, it is later rendered directly in the browser whenever viewed within the application. Because SVGs are XML-based and allow scripting, they execute in the origin context of the application, enabling full stored XSS. This vulnerability is fixed in 2.2.3.

INFO

Published Date :

2025-12-01T22:20:56.602Z

Last Modified :

2025-12-02T14:10:15.416Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66403 vulnerability.

Vendors Products
Filerise
  • Filerise
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66403.

URL Resource
https://github.com/error311/FileRise/commit/f2ce43f18f0444f8f63f7c33758d1837dd5ba91e cve-icon cve-icon
https://github.com/error311/FileRise/security/advisories/GHSA-qrcv-vjvf-fr29 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact