High severityNVD Advisory· Published Mar 10, 2026· Updated Mar 10, 2026
FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)
CVE-2026-30934
Description
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/ without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gtsteffaniak/filebrowserGo | < 0.0.0-20260307130210-09713b32a5f6 | 0.0.0-20260307130210-09713b32a5f6 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/gtsteffaniak/filebrowserpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0.0.0-20260307130210-09713b32a5f6+ 1 more
- (no CPE)range: < 0.0.0-20260307130210-09713b32a5f6
- (no CPE)range: < 0.0.20260317T205859-150000.1.152.1
- Range: >= 1.3.0-beta, < 1.3.1-beta
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-r633-fcgp-m532ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30934ghsaADVISORY
- github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stableghsax_refsource_MISCWEB
- github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-betaghsax_refsource_MISCWEB
- github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2026-4660ghsaWEB
News mentions
0No linked articles in our index yet.