CVE-2026-1466

MEDIUM EPSS 20.4%
Published Jan 28, 20265mo ago · Modified Jun 17, 20262w ago
6.1 CVSS 3.1
Medium
Find Similar
Published Jan 28, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110, CVE-2024-12326 and CVE-2025-7066), video and audio. However, it was possible to bypass this check by sending a manipulated HTTP request with an invalid MIME type like image. When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled by sending the HTTP header X-Content-Type-Options: nosniff.

CVSS Details

Base Score
6.1
Exploitability
2.8
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
20.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
jirafeaujirafeau* <4.7.1

References 4

  • gitlab.com https://gitlab.com/jirafeau/Jirafeau/-/commit/747afb20bfcff14bb67e40e7035d47a6311ba3e1
    Patch
  • cve.org https://www.cve.org/CVERecord?id=CVE-2022-30110
    Not Applicable
  • cve.org https://www.cve.org/CVERecord?id=CVE-2024-12326
    Not Applicable
  • cve.org https://www.cve.org/CVERecord?id=CVE-2025-7066
    Not Applicable

Remediation

  • gitlab.com https://gitlab.com/jirafeau/Jirafeau/-/commit/747afb20bfcff14bb67e40e7035d47a6311ba3e1
    Patch