CVE-2026-30934
HIGH8.9EPSS 0.04%FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)
Description
## Summary Stored XSS is possible via share metadata fields (e.g., `title`, `description`) that are rendered into HTML for `/public/share/<hash>` without context-aware escaping. The server uses `text/template` instead of `html/template`, allowing injected scripts to execute when victims visit the share URL. ## Details The server renders `public/index.html` using `text/template` and injects user-controlled share fields (title/description/etc.) into HTML contexts. `text/template` does not perform HTML contextual escaping like `html/template`. Because share metadata is persistent, the payload becomes stored and executes whenever a victim opens the affected share page. Relevant code paths: - `backend/http/static.go` (template rendering and share metadata assignment) - `backend/http/httpRouter.go` (template initialization) - `frontend/public/index.html` (insertion points for title/description and related fields) ## PoC 1. Login as a user with share creation permission. 2. Create a share (`POST /api/share`) with malicious metadata: - `title = </title><script>alert("xss")</script><title>` 3. Open the resulting `/public/share/<hash>` URL in a browser. 4. **Expected:** Payload is safely escaped and displayed as text. 5. **Actual:** JavaScript executes in victim's browser (stored XSS). Tested on Docker image: `gtstef/filebrowser:stable` (version `v1.2.1-stable`). ## Impact - Arbitrary script execution in application origin. - Potential account/session compromise, CSRF-like action execution, data exfiltration from authenticated contexts. - Affects anyone (including unauthenticated visitors) opening the malicious share URL. - The XSS is stored and persistent — no social engineering beyond sharing the link is required.
Affected packages (2)
- Go/github.com/gtsteffaniak/filebrowserfrom 0, < 0.0.0-20260307130210-09713b32a5f6
- Go/github.com/gtsteffaniak/filebrowserfrom 0, < 0.0.0-20260307130210-09713b32a5f6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-30934
- PATCHhttps://github.com/gtsteffaniak/filebrowser
- WEBhttps://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable
- WEBhttps://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta
- WEBhttps://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532
- WEBhttps://pkg.go.dev/vuln/GO-2026-4660