CVE-2026-34530: File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection
(updated )
The SPA index page in File Browser is vulnerable to Stored Cross-site Scripting (XSS) via admin-controlled branding fields. An admin who sets branding.name to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-34530 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →