CVE-2025-54789

Source
https://cve.org/CVERecord?id=CVE-2025-54789
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54789.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-54789
Aliases
  • GHSA-cw2v-c62w-5r43
Published
2025-08-01T23:26:32.195Z
Modified
2026-07-08T07:28:16.791578043Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Files is Vulnerable to Reflected Self-XSS through its File Move Functionality
Details

Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, the File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, which can lead to Browser JS code execution in the context of the user’s session. This is fixed in version 0.16.10.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "0.6.10"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54789.json",
    "cwe_ids": [
        "CWE-80"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/humhub/cfiles

Affected ranges

Type
GIT
Repo
https://github.com/humhub/cfiles
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:humhub:files:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.16.10"
        }
    ]
}

Affected versions

v0.*
v0.11.18
v0.11.20
v0.12.1
v0.13.0
v0.13.1
v0.14.0
v0.14.1
v0.14.2
v0.15.0
v0.15.1
v0.16.0
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.16.5
v0.16.6
v0.16.7
v0.16.8
v0.16.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54789.json"