CVE-2026-25230: Filerise Filerise XSS Vulnerability

CVE-2026-25230 Overview

CVE-2026-25230 is an HTML Injection vulnerability in FileRise, a self-hosted web file manager and WebDAV server. The flaw affects all versions prior to 3.3.0 and is tracked under [CWE-79]. An authenticated user can inject HTML markup that modifies the Document Object Model (DOM) of the application. Injected content can include form elements that call sensitive endpoints or link elements that redirect victims on interaction. The vendor addressed the issue in FileRise 3.3.0.

Critical Impact
Authenticated attackers can manipulate the FileRise DOM to deliver crafted forms or redirects against other users, enabling phishing, request forgery, and session abuse on the same origin.

Affected Products

FileRise versions prior to 3.3.0
FileRise self-hosted web file manager deployments
FileRise WebDAV server deployments

Discovery Timeline

2026-02-09 - CVE-2026-25230 published to the National Vulnerability Database (NVD)
2026-02-19 - Last updated in NVD database

Technical Details for CVE-2026-25230

Vulnerability Analysis

The vulnerability is an HTML Injection flaw classified under [CWE-79] (Improper Neutralization of Input During Web Page Generation). FileRise renders user-controlled input into pages without sufficient sanitization or encoding. An authenticated user can submit content that the application later embeds into the rendered DOM of other users or sessions.

Because the injected markup executes in the security context of the FileRise origin, an attacker can introduce arbitrary HTML structures into legitimate pages. The advisory specifically notes the ability to add form elements that target FileRise endpoints, and link elements that redirect users when activated. Exploitation requires user interaction with the injected content for the malicious action to trigger.

The impact is confined to limited confidentiality and integrity loss within the application boundary, and the scope changes because injected content executes against a different security context than the attacker's account.

Root Cause

The root cause is missing output neutralization in FileRise file handling logic. The vendor advisory points to handler code in src/controllers/FileController.php and rendering logic in src/models/FileModel.php, where user-supplied values are emitted into HTML responses without strict encoding or allow-listing. See the GitHub Security Advisory GHSA-h8fw-42v6-gfhv for vendor details.

Attack Vector

The attack vector is network-based and requires an authenticated session with low privileges. The attacker stores malicious HTML markup through FileRise functionality that accepts user input. A second user must view the affected resource and interact with the injected element, such as submitting a planted form or clicking a planted link. Successful interaction can issue requests to FileRise endpoints under the victim's session or redirect the victim to attacker-controlled infrastructure.

No public proof-of-concept exploit, ExploitDB entry, or CISA KEV listing is associated with this CVE at the time of publication.

The vulnerability requires DOM-level injection rather than script execution; see the source references in FileController.php and FileModel.php for the affected code paths.

Detection Methods for CVE-2026-25230

Indicators of Compromise

File or folder names, metadata, or notes stored in FileRise containing raw HTML tags such as <form>, <a>, <iframe>, or <meta http-equiv="refresh">.
FileRise audit or web server logs showing POST requests that submit markup-laden values to file management endpoints.
Unexpected outbound redirects originating from authenticated FileRise sessions to external domains.

Detection Strategies

Inspect FileRise database tables and storage metadata for HTML control characters in user-controlled fields.
Review HTTP request bodies sent to endpoints handled by FileController.php for tag characters such as < and > in fields that should be plain text.
Correlate authenticated user activity with anomalous form submissions from victim accounts that target privileged FileRise endpoints.

Monitoring Recommendations

Enable verbose access logging on the FileRise web server and forward logs to a centralized analytics platform.
Alert on responses that include user-submitted strings rendered without HTML entity encoding.
Track FileRise version banners across the estate and flag any instance below 3.3.0.

How to Mitigate CVE-2026-25230

Immediate Actions Required

Upgrade FileRise to version 3.3.0 or later using the GitHub Release v3.3.0 package.
Audit existing FileRise content for stored HTML payloads in file names, metadata, and shared notes.
Force re-authentication for all FileRise users after upgrading and rotate any session tokens that may have been abused.

Patch Information

The vendor fixed CVE-2026-25230 in FileRise 3.3.0. Administrators should review the GitHub Security Advisory GHSA-h8fw-42v6-gfhv and deploy the patched release. No backported fix is published for earlier branches, so upgrading is the supported remediation path.

Workarounds

Restrict FileRise access to trusted authenticated users using network-level controls until the upgrade is complete.
Deploy a Web Application Firewall (WAF) rule that blocks HTML tag characters in fields submitted to FileRise file management endpoints.
Apply a strict Content Security Policy (CSP) at the reverse proxy to limit the impact of injected <form> and <a> elements.

bash

# Configuration example: example nginx reverse proxy hardening for FileRise
add_header Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer" always;