What is the CVSS score of EUVD-2025-19201?

EUVD-2025-19201 has a CVSS 3.1 base score of 7.6 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Filebrowser are affected by EUVD-2025-19201?

CVE-2025-52902 presents notable security risk, a cross-site scripting vulnerability rated CVSS 7.6.. A patch is available.

Is there a public PoC exploit available for EUVD-2025-19201?

Yes, a public proof-of-concept exploit is available for EUVD-2025-19201. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate EUVD-2025-19201?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Verify anti-CSRF tokens and content security policies are enforced.

Filebrowser EUVD-2025-19201

| CVE-2025-52902 HIGH

Cross-site Scripting (XSS) (CWE-79)

2025-06-26 security-advisories@github.com

GHSA-4wx8-5gm2-2j97

XSS Filebrowser Suse

7.6

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.6 HIGH

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

SUSE

HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 23:54 euvd

EUVD-2025-19201

Analysis Generated

Mar 15, 2026 - 23:54 vuln.today

Patch released

Mar 15, 2026 - 23:54 nvd

Patch available

PoC Detected

Jul 10, 2025 - 01:09 vuln.today

Public exploit code

CVE Published

Jun 26, 2025 - 15:15 nvd

HIGH 7.6

DescriptionGitHub Advisory

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The Markdown preview function of File Browser prior to v2.33.7 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser. Version 2.33.7 contains a fix for the issue.

Analysis

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

A vendor patch is available — apply it immediately. Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

More from same product – last 7 days

CVE-2026-48777 CRITICAL Act Now

9.3 Jun 16

Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all

Vendor StatusVendor

SUSE

Severity: High

Product	Status
SUSE Linux Enterprise Server 16.0	Fixed
openSUSE Tumbleweed	Fixed

EUVD-2025-19201 vulnerability details – vuln.today

Back

Filebrowser EUVD-2025-19201

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Analysis

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code