CVE-2024-34525

CVE-2024-34525 affects FileCodeBox 2.0, where a cleartext environment file stores sensitive credentials (OneDrive password and AWS key). Root cause is storing credentials in an unencrypted env file, enabling potential unauthorized access if the file is exposed. Documented remediation/recommendati...

CVE-2025-51661

FileCodeBox has a path traversal vulnerability affecting v2.2 and earlier where SystemFileStorage.save_file uses unvalidated user-supplied filenames to build save_path. An unauthenticated /share/file/upload endpoint can be abused to write arbitrary files outside the intended directory by crafted ...

CVE-2025-51662

FileCodeBox contains a stored XSS in the text sharing feature for versions ≤ 2.2 due to insufficient input validation. Attackers can inject JavaScript into shared codeboxes, and the payload executes in users’ browsers when they access the infected codebox via a link or shared code. Connected advi...

CVE-2025-51663

FileCodeBox (up to 2.2) includes an IP rate-limiting flaw in the IPRateLimit implementation that lets remote attackers bypass ip-based rate limits and failed attempt restrictions by forging X-Real-IP and X-Forwarded-For headers. This can enable DoS or brute-force sharing code attempts. Affected c...