The vulnerability allows an attacker to embed malicious JavaScript within an EPUB file. When a user previews the file in File Browser, the code runs in the victim’s browser. This stored XSS can lead to cookie theft, session hijacking, defacement, or any other payload that the rogue script can perform within the context of the victim. The weakness is a classic input validation flaw that corresponds to a stored cross‑site scripting (CWE‑79).

File Browser installations of version 2.62.1 and earlier are affected. The issue exists in any deployment that uses the EPUB preview feature and has not applied the fix released in 2.62.2. No other products are known to be impacted.

The CVSS base score of 7.6 indicates high impact, while the EPSS score of less than 1% signals that exploitation is currently unlikely. The vulnerability is not in the CISA KEV list, so it is not a known exploited issue. Attackers would need to upload a malicious EPUB through the user interface and then lure a target—whether an administrative user or a general user—to view the file. Once viewed, the script executes under the context of the browser session, giving the attacker the same rights as the user. Because the script runs client‑side, no privileged server access is required, which lowers the threshold for exploitation, but the lack of automatic exploitation detection keeps the risk moderate to high for organizations that expose the preview function to untrusted users.