Lulaide

**Name of the Vulnerable Software and Affected Versions** FileBrowser versions prior to 1.3.1-beta FileBrowser versions prior to 1.2.2-stable **Description** FileBrowser is a free, self-hosted, web-based file manager. A stored cross-site scripting (XSS) issue exists due to the use of `text/template` instead of `html/template` for rendering share metadata fields, such as `title` and `description`, within the `/public/share/<hash>` endpoint. This allows injected scripts to execute when a victim visits the share URL. The server renders `public/index.html` using `text/template` and injects user-controlled share fields into HTML contexts. Because share metadata is persistent, the payload becomes stored and executes whenever a victim opens the affected share page. Relevant code paths include `backend/http/static.go`, `backend/http/httpRouter.go`, and `frontend/public/index.html`. The impact of this issue includes arbitrary script execution in the application origin, potential account or session compromise, and data exfiltration. The XSS is stored and persistent, requiring only the sharing of the malicious link for exploitation. **Recommendations** FileBrowser versions prior to 1.3.1-beta should be updated to version 1.3.1-beta or later. FileBrowser versions prior to 1.2.2-stable should be updated to version 1.2.2-stable or later.