Description
Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110, CVE-2024-12326 and CVE-2025-7066), video and audio. However, it was possible to bypass this check by sending a manipulated HTTP request with an invalid MIME type like image. When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled by sending the HTTP header X-Content-Type-Options: nosniff.
Published: 2026-01-28
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS) via manipulated MIME preview
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker to inject arbitrary JavaScript into the browser by crafting an HTTP request with an invalid MIME type, causing the preview engine to perform MIME sniffing and treat the content as an SVG that executes embedded scripts. This flaw is an example of improper input neutralization and is identified as CWE‑79. Successful exploitation permits the attacker to run malicious scripts in the context of the victim’s session, enabling data theft, session hijacking or defacement. The CVSS score of 6.1 indicates moderate severity, but the EPSS score of less than 1% suggests that attacks are currently rare. The issue is not listed in the CISA KEV catalog.

Affected Systems

The flaw affects the Jirafeau project’s Jirafeau file‑sharing application. All installations running a version prior to 4.7.1 are vulnerable. The vendor recommends upgrading to version 4.7.1, which removes the bypass that permits the invalid MIME type to trigger the preview.

Risk and Exploitability

Because the flaw can be triggered through a crafted preview request, an attacker only needs to send the malicious request from any network that can reach the Jirafeau instance. There is no prerequisite of user authentication; the vulnerability could be exploited by a public attacker who can force the browser to display the preview. The low EPSS score implies that, at present, there is little observed exploitation, but the moderate CVSS score and the nature of XSS recommend immediate response. No marketplace exploitation has been reported, but the flaw does not appear in KEV, meaning there is currently no known large‑scale exploitation campaign.

Generated by OpenCVE AI on April 18, 2026 at 01:45 UTC.

Remediation

Vendor Solution

Upgrade to version 4.7.1

OpenCVE Recommended Actions

  • Upgrade Jirafeau to version 4.7.1 or later
  • Configure the web server or application to include the X‑Content‑Type‑Options: nosniff header for all preview responses
  • Modify the MIME type validation logic to allow only safe image, video, and audio types, rejecting any others

Generated by OpenCVE AI on April 18, 2026 at 01:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jirafeau:jirafeau:*:*:*:*:*:*:*:*

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Jirafeau
Jirafeau jirafeau
Vendors & Products Jirafeau
Jirafeau jirafeau

Wed, 28 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 06:45:00 +0000

Type Values Removed Values Added
Description Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110, CVE-2024-12326 and CVE-2025-7066), video and audio. However, it was possible to bypass this check by sending a manipulated HTTP request with an invalid MIME type like image. When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled by sending the HTTP header X-Content-Type-Options: nosniff.
Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Jirafeau
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Jirafeau Jirafeau
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-01-28T20:48:25.368Z

Reserved: 2026-01-27T08:04:12.765Z

Link: CVE-2026-1466

cve-icon Vulnrichment

Updated: 2026-01-28T20:48:14.097Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-28T07:16:01.087

Modified: 2026-02-12T20:43:24.200

Link: CVE-2026-1466

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:00:10Z

Weaknesses