CVE-2026-34530 - Vulnerability Details

- File Browser is vulnerable to Stored Cross-Site Scripting via text/template branding injection

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA index page in File Browser is vulnerable to Stored Cross-Site Scripting (XSS) via admin-controlled branding fields. An admin who sets branding.name to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users. This issue has been patched in version 2.62.2.

Published: 2026-04-01

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

File Browser’s single–page application index page is vulnerable to a stored cross‑site scripting flaw that is triggered when an administrator sets the branding.name field to a malicious payload. The injected script is persisted and executed in every browser session that loads the index page, which means all visitors—including those who are not authenticated—can be targeted. The impact is the possible theft of credentials, session hijacking, or other malicious actions performed in the context of the affected user’s browser.

Affected Systems

The vulnerability affects the File Browser file‑management interface from the vendor identified as File Browser, All brands using the open‑source product. Versions earlier than v2.62.2 are impacted, while v2.62.2 and later contain the fix.

Risk and Exploitability

The CVSS score is 6.9, indicating a medium severity, while the EPSS score is below 1% which suggests a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires that the attacker deliver a malicious payload via the branding.name field, which generally requires administrative access or compromise of an administrator’s account. Once the malicious script is stored, it will run for all users who view the index page.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

filebrowser

affected

Version	Status	Constraints
`< 2.62.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Filebrowser

100%

Version	Status	Scheme	Platform
`[0,2.62.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade File Browser to version 2.62.2 or later.

Generated by OpenCVE AI on April 7, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-xfqj-3vmx-63wv	File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xfqj-3vmx-63wv

History

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:filebrowser:filebrowser::::::::

Sat, 04 Apr 2026 05:00:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Filebrowser Filebrowser filebrowser
Vendors & Products		Filebrowser Filebrowser filebrowser

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA index page in File Browser is vulnerable to Stored Cross-Site Scripting (XSS) via admin-controlled branding fields. An admin who sets branding.name to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users. This issue has been patched in version 2.62.2.
Title		File Browser is vulnerable to Stored Cross-Site Scripting via text/template branding injection
Weaknesses		CWE-79
References		https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2 https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xfqj-3vmx-63wv
Metrics		cvssV3_1 `{'score': 6.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N'}`

Subscriptions

Filebrowser Filebrowser

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-01T20:41:08.718Z

Updated: 2026-04-04T03:14:50.072Z

Reserved: 2026-03-30T16:03:31.048Z

Link: CVE-2026-34530

Vulnrichment

Updated: 2026-04-04T03:14:46.034Z

NVD

Status : Analyzed

Published: 2026-04-01T21:17:00.993

Modified: 2026-04-06T20:34:21.887

Link: CVE-2026-34530

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-07T08:07:27Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object