CVE-2026-30934

Name of the Vulnerable Software and Affected Versions FileBrowser versions prior to 1.3.1-beta FileBrowser versions prior to 1.2.2-stable

Description FileBrowser is a free, self-hosted, web-based file manager. A stored cross-site scripting (XSS) issue exists due to the use of text/template instead of html/template for rendering share metadata fields, such as title and description, within the /public/share/<hash> endpoint. This allows injected scripts to execute when a victim visits the share URL. The server renders public/index.html using text/template and injects user-controlled share fields into HTML contexts. Because share metadata is persistent, the payload becomes stored and executes whenever a victim opens the affected share page. Relevant code paths include backend/http/static.go, backend/http/httpRouter.go, and frontend/public/index.html. The impact of this issue includes arbitrary script execution in the application origin, potential account or session compromise, and data exfiltration. The XSS is stored and persistent, requiring only the sharing of the malicious link for exploitation.

Recommendations FileBrowser versions prior to 1.3.1-beta should be updated to version 1.3.1-beta or later. FileBrowser versions prior to 1.2.2-stable should be updated to version 1.2.2-stable or later.