CVE-2026-30934 in filebrowser
Summary
by MITRE • 03/10/2026
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/19/2026
FileBrowser Quantum presents a critical stored cross-site scripting vulnerability that affects versions prior to 1.3.1-beta and 1.2.2-stable, creating a significant security risk for users who share files through the platform. This vulnerability stems from improper input sanitization within the share metadata fields, specifically the title and description parameters that are rendered into HTML output on the public share page. The flaw exists because the server-side implementation utilizes text/template instead of html/template for rendering, which fails to provide context-aware escaping necessary to prevent malicious script execution. When users visit the share URL containing malicious payloads within these metadata fields, the injected scripts execute in the context of the victim's browser, potentially leading to session hijacking, credential theft, or other malicious activities.
The technical implementation of this vulnerability aligns with CWE-79, which describes cross-site scripting flaws occurring when untrusted data is incorporated into web pages without proper validation or escaping. The root cause lies in the application's failure to properly escape HTML content within the share metadata fields, creating an environment where attackers can inject malicious scripts that persist in the database and execute whenever the share page is accessed. This represents a classic stored XSS scenario where the malicious input is stored on the server and then served to other users without proper sanitization. The vulnerability demonstrates poor input validation practices and inadequate output encoding mechanisms that are fundamental to preventing XSS attacks in web applications.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the ability to compromise user sessions and potentially escalate privileges within the FileBrowser Quantum environment. When victims access compromised share URLs, their browsers execute the injected scripts, which can capture session cookies, redirect users to malicious sites, or perform actions on behalf of the authenticated user. This threat vector is particularly concerning for file sharing environments where users may trust shared content from others, making the attack surface more expansive. The vulnerability affects the core functionality of the sharing mechanism, undermining the security assurances that users expect from a file management platform. Attackers can leverage this weakness to establish persistent access to shared resources and potentially compromise the broader user base that accesses these malicious shares.
Mitigation strategies for this vulnerability require immediate patching to versions 1.3.1-beta or 1.2.2-stable, which address the root cause through proper HTML escaping mechanisms. Organizations should implement comprehensive input validation and sanitization for all user-provided content, particularly within metadata fields that are rendered into HTML output. The fix involves transitioning from text/template to html/template for rendering, ensuring that all output is properly escaped based on the context in which it appears. Additionally, implementing content security policies can provide an additional layer of protection against script execution, while regular security audits of template rendering mechanisms can help identify similar vulnerabilities in other parts of the application. This vulnerability also highlights the importance of following secure coding practices as outlined in the OWASP Top Ten and NIST cybersecurity guidelines, emphasizing the need for context-aware escaping and proper input validation in web applications. The ATT&CK framework categorizes this as a web application vulnerability exploitation technique, specifically related to the execution of malicious code through insecure input handling.