{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30934", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T16:40:05.885Z", "datePublished": "2026-03-10T16:12:23.434Z", "dateUpdated": "2026-03-10T16:41:10.418Z"}, "containers": {"cna": {"title": "FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532"}, {"name": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable", "tags": ["x_refsource_MISC"], "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable"}, {"name": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta", "tags": ["x_refsource_MISC"], "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta"}], "affected": [{"vendor": "gtsteffaniak", "product": "filebrowser", "versions": [{"version": ">= 1.3.0-beta, < 1.3.1-beta", "status": "affected"}, {"version": "< 1.2.2-stable", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T16:12:23.434Z"}, "descriptions": [{"lang": "en", "value": "FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable."}], "source": {"advisory": "GHSA-r633-fcgp-m532", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30934", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T16:38:59.115847Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T16:41:10.418Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30934", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T16:38:59.115847Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T16:40:53.861Z"}}], "cna": {"title": "FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)", "source": {"advisory": "GHSA-r633-fcgp-m532", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gtsteffaniak", "product": "filebrowser", "versions": [{"status": "affected", "version": ">= 1.3.0-beta, < 1.3.1-beta"}, {"status": "affected", "version": "< 1.2.2-stable"}]}], "references": [{"url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532", "name": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable", "name": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta", "name": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T16:12:23.434Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30934", "state": "PUBLISHED", "dateUpdated": "2026-03-10T16:41:10.418Z", "dateReserved": "2026-03-07T16:40:05.885Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T16:12:23.434Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9301582-B9B7-431D-B9F0-D2ED8A0F4F0A", "versionEndIncluding": "1.2.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:filebrowser:filebrowser:1.2.1:stable:*:*:*:*:*:*", "matchCriteriaId": "DE0C44CA-A1E7-4A78-AEBE-9E40AC8356A3", "vulnerable": true}, {"criteria": "cpe:2.3:a:filebrowser:filebrowser:1.3.0:beta:*:*:*:*:*:*", "matchCriteriaId": "BBB1EA86-4052-40DC-AAAA-8133DD965699", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable."}, {"lang": "es", "value": "FileBrowser Quantum es un gestor de archivos gratuito, autoalojado y basado en web. Antes de 1.3.1-beta y 1.2.2-stable, es posible un XSS Almacenado a trav\u00e9s de campos de metadatos de compartici\u00f3n (p. ej., t\u00edtulo, descripci\u00f3n) que se renderizan en HTML para /public/share/ sin escape sensible al contexto. El servidor utiliza text/template en lugar de html/template, permitiendo que los scripts inyectados se ejecuten cuando las v\u00edctimas visitan la URL de compartici\u00f3n. Esta vulnerabilidad est\u00e1 corregida en 1.3.1-beta y 1.2.2-stable."}], "id": "CVE-2026-30934", "lastModified": "2026-03-18T16:52:51.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-10T18:18:53.257", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.3.0-beta,1.3.1-beta)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.2-stable)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "filebrowser", "source": "cna", "vendor": "gtsteffaniak"}, "product": "filebrowser", "vendor": "gtsteffaniak"}], "analysis": {"en": {"generated_at": "2026-04-16T09:47:52.332271+00:00", "value": {"mitigation_remediation": ["Upgrade to FileBrowser Quantum 1.3.1\u2011beta, 1.2.2\u2011stable, or a later version that removes the unsanitized rendering.", "If an upgrade cannot be performed immediately, limit the ability to create shares to trusted users and sanitize or remove any metadata before publishing a share.", "Configure the web server to issue a strong Content\u2011Security\u2011Policy header that restricts the execution of inline scripts on the public share page."], "summary": {"action": "Patch immediately", "impact": "Stored Cross\u2011Site Scripting that can be triggered by any visitor to a compromised shared URL."}, "threat_synthesis": {"affected_systems": "The vulnerability affects FileBrowser Quantum versions released before 1.3.1\u2011beta and before 1.2.2\u2011stable, including the 1.2.1\u202fstable release and the 1.3.0\u202fbeta build. The vendor is gtsteffaniak. Attacks target the /public/share/<hash> endpoint which renders any user\u2011supplied metadata without escaping.", "description_and_impact": "FileBrowser Quantum allowed an attacker to embed malicious scripts in shared metadata fields such as title or description. Because the server used the text/template Go package instead of the context\u2011aware html/template, these scripts were rendered directly into the HTML of the public share page. When a victim opened that page, the payload executed in the victim's browser, potentially leaking session cookies, defacing the site, or executing further malicious actions. This is a classic stored XSS flaw (CWE\u201179) that compromises confidentiality, integrity, and availability of the affected sessions.", "risk_and_exploitability": "The flaw receives a CVSS score of 8.9, indicating high severity. The EPSS score is below 1\u202f%, suggesting few attacks are currently observed, but the vulnerability is listed only in the vendor advisory and is not yet in the CISA KEV list. An attacker needs to create or modify a share with malicious metadata; once a user visits the public URL, the injected code executes. This requires no privileged access and can be carried out by anyone who can publish a share."}}}}, "created": "2026-03-11T11:49:48.198662+00:00", "updated": "2026-04-16T10:00:14.063027+00:00", "vendors": ["gtsteffaniak", "gtsteffaniak$PRODUCT$filebrowser"]}