CVE-2026-25230

medium

Description

FileRise is a self-hosted web file manager / WebDAV server. Prior to 3.3.0, an HTML Injection vulnerability allows an authenticated user to modify the DOM and add e.g. form elements that call certain endpoints or link elements that redirect the user on active interaction. This vulnerability is fixed in 3.3.0.

References

https://github.com/error311/FileRise/security/advisories/GHSA-h8fw-42v6-gfhv

https://github.com/error311/FileRise/releases/tag/v3.3.0

https://github.com/error311/FileRise/blob/7fee135a5b8feb25558aba0474bd6bb53943fc88/src/models/FileModel.php#L3146

https://github.com/error311/FileRise/blob/7fee135a5b8feb25558aba0474bd6bb53943fc88/src/controllers/FileController.php#L4016-L4058

Details

Source: Mitre, NVD

Published: 2026-02-09

Updated: 2026-02-19

Risk Information

CVSS v2

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 5.4

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00035