CVE-2025-52902: filebrowser allows Stored Cross-Site Scripting through the Markdown preview function
(updated )
The Markdown preview function of File Browser v2.32.0 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser
References
- github.com/advisories/GHSA-4wx8-5gm2-2j97
- github.com/filebrowser/filebrowser
- github.com/filebrowser/filebrowser/commit/f19943a42e8e092e811dffbe9f4623dac36f1f0d
- github.com/filebrowser/filebrowser/security/advisories/GHSA-4wx8-5gm2-2j97
- github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-04_Filebrowser_Stored_XSS
- nvd.nist.gov/vuln/detail/CVE-2025-52902
- pkg.go.dev/vuln/GO-2025-3784
Code Behaviors & Features
Detect and mitigate CVE-2025-52902 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →