CVE-2026-34529
Published: 01 April 2026
Summary
CVE-2026-34529 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked at the 12.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Filters malicious JavaScript from EPUB preview output to directly prevent Stored XSS execution in the victim's browser.
Validates uploaded EPUB files to block those containing embedded JavaScript, preventing storage of malicious payloads.
Requires timely remediation of the specific Stored XSS flaw by applying the vendor patch in File Browser version 2.62.2.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in EPUB preview enables attacker-controlled JavaScript execution in victim's browser context, directly facilitating theft of web session cookies and credentials as described in the high confidentiality impact.
NVD Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the EPUB preview function in File Browser is vulnerable to Stored Cross-Site Scripting (XSS). JavaScript embedded in…
more
a crafted EPUB file executes in the victim's browser when they preview the file. This issue has been patched in version 2.62.2.
Deeper analysisAI
CVE-2026-34529 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting the EPUB preview function in File Browser, an open-source file managing interface used for uploading, deleting, previewing, renaming, and editing files within a specified directory. The flaw exists in versions prior to 2.62.2, where JavaScript embedded in a specially crafted EPUB file can execute in the victim's browser upon previewing the malicious file. The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, and potential for significant confidentiality impact with a changed scope.
An attacker with low privileges, such as an authenticated user able to upload files to the File Browser instance, can exploit this by uploading a crafted EPUB containing malicious JavaScript. When another user with preview permissions accesses and previews the file, the script executes in their browser context. This allows the attacker to steal sensitive data like session cookies or credentials (high confidentiality impact), perform limited integrity modifications, but without availability disruption, all contingent on user interaction to trigger the preview.
The issue has been addressed in File Browser version 2.62.2, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to this patched version immediately and review access controls for file upload and preview functionalities to mitigate risks in affected deployments.
Details
- CWE(s)