FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)
Description
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/ without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in FileBrowser Quantum via share metadata due to text/template misuse, allowing script execution on public share pages.
Vulnerability
CVE-2026-30934 is a stored cross-site scripting (XSS) vulnerability in FileBrowser Quantum, a self-hosted web file manager. Prior to versions 1.3.1-beta and 1.2.2-stable, the application uses text/template instead of html/template when rendering share metadata fields (e.g., title, description) into the public share page at /public/share/. This means user-controlled input is not contextually HTML-escaped, allowing an attacker to inject arbitrary JavaScript [1][3].
Exploitation
To exploit the vulnerability, an attacker must have permission to create shares. They can craft a share with malicious payloads in the metadata fields (e.g., ``). Once the share is saved, the payload is stored and executed in the browser of any user—including unauthenticated visitors—who opens the corresponding share URL [3]. No additional user interaction beyond visiting the link is required.
Impact
Successful exploitation enables arbitrary script execution in the context of the application's origin. This can lead to session hijacking, credential theft, data exfiltration, or performing actions on behalf of the victim, potentially compromising the entire application [2][3].
Mitigation
The vulnerability is fixed in versions 1.3.1-beta and 1.2.2-stable. Users should upgrade immediately. The fix replaces text/template with html/template to ensure proper context-aware escaping [1][4]. No workarounds are mentioned.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gtsteffaniak/filebrowserGo | < 0.0.0-20260307130210-09713b32a5f6 | 0.0.0-20260307130210-09713b32a5f6 |
Affected products
2- Range: <1.3.1-beta, <1.2.2-stable
- gtsteffaniak/filebrowserv5Range: >= 1.3.0-beta, < 1.3.1-beta
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-r633-fcgp-m532ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30934ghsaADVISORY
- github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stableghsax_refsource_MISCWEB
- github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-betaghsax_refsource_MISCWEB
- github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2026-4660ghsaWEB
News mentions
0No linked articles in our index yet.