CVE-2026-30934: FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)
(updated )
Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL.
References
- github.com/advisories/GHSA-r633-fcgp-m532
- github.com/gtsteffaniak/filebrowser
- github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable
- github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta
- github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532
- nvd.nist.gov/vuln/detail/CVE-2026-30934
- pkg.go.dev/vuln/GO-2026-4660
Code Behaviors & Features
Detect and mitigate CVE-2026-30934 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →