{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34530", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T16:03:31.048Z", "datePublished": "2026-04-01T20:41:08.718Z", "dateUpdated": "2026-04-04T03:14:50.072Z"}, "containers": {"cna": {"title": "File Browser is vulnerable to Stored Cross-Site Scripting via text/template branding injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xfqj-3vmx-63wv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xfqj-3vmx-63wv"}, {"name": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2"}], "affected": [{"vendor": "filebrowser", "product": "filebrowser", "versions": [{"version": "< 2.62.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T20:41:08.718Z"}, "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA index page in File Browser is vulnerable to Stored Cross-Site Scripting (XSS) via admin-controlled branding fields. An admin who sets branding.name to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users. This issue has been patched in version 2.62.2."}], "source": {"advisory": "GHSA-xfqj-3vmx-63wv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-04T03:14:28.317256Z", "id": "CVE-2026-34530", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-04T03:14:50.072Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34530", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-04T03:14:28.317256Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-04T03:14:46.034Z"}}], "cna": {"title": "File Browser is vulnerable to Stored Cross-Site Scripting via text/template branding injection", "source": {"advisory": "GHSA-xfqj-3vmx-63wv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "filebrowser", "product": "filebrowser", "versions": [{"status": "affected", "version": "< 2.62.2"}]}], "references": [{"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xfqj-3vmx-63wv", "name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xfqj-3vmx-63wv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2", "name": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA index page in File Browser is vulnerable to Stored Cross-Site Scripting (XSS) via admin-controlled branding fields. An admin who sets branding.name to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users. This issue has been patched in version 2.62.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T20:41:08.718Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34530", "state": "PUBLISHED", "dateUpdated": "2026-04-04T03:14:50.072Z", "dateReserved": "2026-03-30T16:03:31.048Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-01T20:41:08.718Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*", "matchCriteriaId": "A22210FE-83DA-49B9-A015-543942FE731F", "versionEndExcluding": "2.62.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA index page in File Browser is vulnerable to Stored Cross-Site Scripting (XSS) via admin-controlled branding fields. An admin who sets branding.name to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users. This issue has been patched in version 2.62.2."}], "id": "CVE-2026-34530", "lastModified": "2026-04-06T20:34:21.887", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-01T21:17:00.993", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xfqj-3vmx-63wv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.62.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "filebrowser", "source": "cna", "vendor": "filebrowser"}, "product": "filebrowser", "vendor": "filebrowser"}], "analysis": {"en": {"generated_at": "2026-04-07T01:51:51.545054+00:00", "value": {"mitigation_remediation": ["Upgrade File Browser to version 2.62.2 or later."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the File Browser file\u2011management interface from the vendor identified as File Browser, All brands using the open\u2011source product. Versions earlier than v2.62.2 are impacted, while v2.62.2 and later contain the fix.", "description_and_impact": "File Browser\u2019s single\u2013page application index page is vulnerable to a stored cross\u2011site scripting flaw that is triggered when an administrator sets the branding.name field to a malicious payload. The injected script is persisted and executed in every browser session that loads the index page, which means all visitors\u2014including those who are not authenticated\u2014can be targeted. The impact is the possible theft of credentials, session hijacking, or other malicious actions performed in the context of the affected user\u2019s browser.", "risk_and_exploitability": "The CVSS score is 6.9, indicating a medium severity, while the EPSS score is below 1% which suggests a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires that the attacker deliver a malicious payload via the branding.name field, which generally requires administrative access or compromise of an administrator\u2019s account. Once the malicious script is stored, it will run for all users who view the index page."}}}}, "created": "2026-04-02T07:47:34.238821+00:00", "updated": "2026-04-07T08:07:27.556177+00:00", "vendors": ["filebrowser", "filebrowser$PRODUCT$filebrowser"]}