CVE-2026-30934

Опубликовано: 10 мар. 2026

Источник: nvd

CVSS3: 8.9

CVSS3: 5.4

EPSS Низкий

Описание

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/ without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.

Ссылки

https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable
Release Notes
https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta
Release Notes
https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*

Версия до 1.2.9 (включая)

cpe:2.3:a:filebrowser:filebrowser:1.2.1:stable:*:*:*:*:*:*

cpe:2.3:a:filebrowser:filebrowser:1.3.0:beta:*:*:*:*:*:*

EPSS

Процентиль: 9%

0.00032

Низкий

8.9 High

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-r633-fcgp-m532

CVSS3: 8.9

github

около 1 месяца назад

FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)

EPSS

Процентиль: 9%

0.00032

Низкий

8.9 High

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79