Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.9
FileBrowser Quantum: Malicious Scripts Can Run When Sharing Files
GHSA-r633-fcgp-m532
CVE-2026-30934
GHSA-r633-fcgp-m532
Summary
A security issue affects FileBrowser Quantum. If a hacker can trick you into visiting a special URL, they can run malicious scripts on your computer. This is because the software doesn't properly protect user-generated text when it's displayed on a public page. To stay safe, update FileBrowser Quantum to the latest version and be cautious when clicking on links from unknown sources.
What to do
- Update github.com gtsteffaniak to version 0.0.0-20260307130210-09713b32a5f6.
- Update gtsteffaniak github.com/gtsteffaniak/filebrowser to version 0.0.0-20260307130210-09713b32a5f6.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | gtsteffaniak | <= 0.0.0-20260307130210-09713b32a5f6 | 0.0.0-20260307130210-09713b32a5f6 |
| gtsteffaniak | github.com/gtsteffaniak/filebrowser | <= 0.0.0-20260307130210-09713b32a5f6 | 0.0.0-20260307130210-09713b32a5f6 |
Original title
FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)
Original description
## Summary
Stored XSS is possible via share metadata fields (e.g., `title`, `description`) that are rendered into HTML for `/public/share/<hash>` without context-aware escaping. The server uses `text/template` instead of `html/template`, allowing injected scripts to execute when victims visit the share URL.
## Details
The server renders `public/index.html` using `text/template` and injects user-controlled share fields (title/description/etc.) into HTML contexts. `text/template` does not perform HTML contextual escaping like `html/template`. Because share metadata is persistent, the payload becomes stored and executes whenever a victim opens the affected share page.
Relevant code paths:
- `backend/http/static.go` (template rendering and share metadata assignment)
- `backend/http/httpRouter.go` (template initialization)
- `frontend/public/index.html` (insertion points for title/description and related fields)
## PoC
1. Login as a user with share creation permission.
2. Create a share (`POST /api/share`) with malicious metadata:
- `title = </title><script>alert("xss")</script><title>`
3. Open the resulting `/public/share/<hash>` URL in a browser.
4. **Expected:** Payload is safely escaped and displayed as text.
5. **Actual:** JavaScript executes in victim's browser (stored XSS).
Tested on Docker image: `gtstef/filebrowser:stable` (version `v1.2.1-stable`).
## Impact
- Arbitrary script execution in application origin.
- Potential account/session compromise, CSRF-like action execution, data exfiltration from authenticated contexts.
- Affects anyone (including unauthenticated visitors) opening the malicious share URL.
- The XSS is stored and persistent — no social engineering beyond sharing the link is required.
Stored XSS is possible via share metadata fields (e.g., `title`, `description`) that are rendered into HTML for `/public/share/<hash>` without context-aware escaping. The server uses `text/template` instead of `html/template`, allowing injected scripts to execute when victims visit the share URL.
## Details
The server renders `public/index.html` using `text/template` and injects user-controlled share fields (title/description/etc.) into HTML contexts. `text/template` does not perform HTML contextual escaping like `html/template`. Because share metadata is persistent, the payload becomes stored and executes whenever a victim opens the affected share page.
Relevant code paths:
- `backend/http/static.go` (template rendering and share metadata assignment)
- `backend/http/httpRouter.go` (template initialization)
- `frontend/public/index.html` (insertion points for title/description and related fields)
## PoC
1. Login as a user with share creation permission.
2. Create a share (`POST /api/share`) with malicious metadata:
- `title = </title><script>alert("xss")</script><title>`
3. Open the resulting `/public/share/<hash>` URL in a browser.
4. **Expected:** Payload is safely escaped and displayed as text.
5. **Actual:** JavaScript executes in victim's browser (stored XSS).
Tested on Docker image: `gtstef/filebrowser:stable` (version `v1.2.1-stable`).
## Impact
- Arbitrary script execution in application origin.
- Potential account/session compromise, CSRF-like action execution, data exfiltration from authenticated contexts.
- Affects anyone (including unauthenticated visitors) opening the malicious share URL.
- The XSS is stored and persistent — no social engineering beyond sharing the link is required.
ghsa CVSS3.1
8.9
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m...
- https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable
- https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta
- https://github.com/advisories/GHSA-r633-fcgp-m532
- https://github.com/gtsteffaniak/filebrowser Product
- https://nvd.nist.gov/vuln/detail/CVE-2026-30934
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026