CVE-2026-34530

Name of the Vulnerable Software and Affected Versions: File Browser versions prior to 2.62.2

Description: File Browser versions prior to 2.62.2 are susceptible to Stored Cross-Site Scripting (XSS) via admin-controlled branding fields. An administrator setting the branding.name field to a malicious payload injects persistent JavaScript that executes for all visitors, including unauthenticated users. The issue stems from the use of text/template instead of html/template in http/static.go, which lacks HTML escaping. The frontend template directly embeds these fields, allowing for the injection of arbitrary script into every page load. The ReCaptchaHost field can also be exploited to load arbitrary JavaScript from an admin-chosen origin. The absence of a Content-Security-Policy header exacerbates the risk.

Recommendations: Update to version 2.62.2 or later.