Vulnerability Description
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Filebrowser | Filebrowser | <= 1.2.9 |
Related Weaknesses (CWE)
References
- https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stableRelease Notes
- https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-betaRelease Notes
- https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-mExploitVendor Advisory
FAQ
What is CVE-2026-30934?
CVE-2026-30934 is a vulnerability with a CVSS score of 8.9 (HIGH). FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered ...
How severe is CVE-2026-30934?
CVE-2026-30934 has been rated HIGH with a CVSS base score of 8.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-30934?
Check the references section above for vendor advisories and patch information. Affected products include: Filebrowser Filebrowser.