Description
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.
Published: 2026-03-10
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that can be triggered by any visitor to a compromised shared URL.
Action: Patch immediately
AI Analysis

Impact

FileBrowser Quantum allowed an attacker to embed malicious scripts in shared metadata fields such as title or description. Because the server used the text/template Go package instead of the context‑aware html/template, these scripts were rendered directly into the HTML of the public share page. When a victim opened that page, the payload executed in the victim's browser, potentially leaking session cookies, defacing the site, or executing further malicious actions. This is a classic stored XSS flaw (CWE‑79) that compromises confidentiality, integrity, and availability of the affected sessions.

Affected Systems

The vulnerability affects FileBrowser Quantum versions released before 1.3.1‑beta and before 1.2.2‑stable, including the 1.2.1 stable release and the 1.3.0 beta build. The vendor is gtsteffaniak. Attacks target the /public/share/<hash> endpoint which renders any user‑supplied metadata without escaping.

Risk and Exploitability

The flaw receives a CVSS score of 8.9, indicating high severity. The EPSS score is below 1 %, suggesting few attacks are currently observed, but the vulnerability is listed only in the vendor advisory and is not yet in the CISA KEV list. An attacker needs to create or modify a share with malicious metadata; once a user visits the public URL, the injected code executes. This requires no privileged access and can be carried out by anyone who can publish a share.

Generated by OpenCVE AI on April 16, 2026 at 09:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to FileBrowser Quantum 1.3.1‑beta, 1.2.2‑stable, or a later version that removes the unsanitized rendering.
  • If an upgrade cannot be performed immediately, limit the ability to create shares to trusted users and sanitize or remove any metadata before publishing a share.
  • Configure the web server to issue a strong Content‑Security‑Policy header that restricts the execution of inline scripts on the public share page.

Generated by OpenCVE AI on April 16, 2026 at 09:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r633-fcgp-m532 FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)
History

Wed, 18 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
CPEs cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*
cpe:2.3:a:filebrowser:filebrowser:1.2.1:stable:*:*:*:*:*:*
cpe:2.3:a:filebrowser:filebrowser:1.3.0:beta:*:*:*:*:*:*
Vendors & Products Filebrowser
Filebrowser filebrowser

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Gtsteffaniak
Gtsteffaniak filebrowser
Vendors & Products Gtsteffaniak
Gtsteffaniak filebrowser

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.
Title FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L'}

Subscriptions

Filebrowser Filebrowser
Gtsteffaniak Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T16:41:10.418Z

Reserved: 2026-03-07T16:40:05.885Z

Link: CVE-2026-30934

cve-icon Vulnrichment

Updated: 2026-03-10T16:40:53.861Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:53.257

Modified: 2026-03-18T16:52:51.783

Link: CVE-2026-30934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:00:14Z

Weaknesses