CVE-2026-30934
Published: 10 March 2026
Summary
CVE-2026-30934 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 11.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates filtering and context-aware escaping of outputs like share metadata rendered in HTML, directly preventing stored XSS execution on public share pages.
Requires validation of user-supplied inputs in share metadata fields to reject or sanitize malicious JavaScript payloads before storage.
Ensures timely identification, patching, and verification of flaws like the improper text/template usage fixed in vulnerable FileBrowser Quantum versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in share metadata directly enables browser script execution for session hijacking (explicitly noted in description) when victims visit public share URLs.
NVD Description
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/template instead…
more
of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.
Deeper analysisAI
FileBrowser Quantum, a free self-hosted web-based file manager, is affected by CVE-2026-30934, a stored cross-site scripting (XSS) vulnerability rated at CVSS 8.9 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L) and mapped to CWE-79. The issue exists in versions prior to 1.3.1-beta and 1.2.2-stable, where share metadata fields such as title and description can be abused to inject malicious scripts. These fields are rendered into HTML on public share pages (/public/share/<hash>) without context-aware escaping, as the server employs Go's text/template package rather than the safer html/template, enabling script execution in victims' browsers.
An authenticated user with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity by crafting share metadata containing a JavaScript payload. Exploitation requires user interaction (UI:R), specifically a victim visiting the public share URL, after which the payload executes with changed scope (S:C). Successful attacks can result in high confidentiality and integrity impacts, such as session hijacking or data exfiltration, alongside low availability disruption.
The GitHub security advisory (GHSA-r633-fcgp-m532) and release notes for v1.2.2-stable and v1.3.1-beta confirm the vulnerability has been fixed by switching to proper HTML template escaping. Security practitioners should upgrade to these versions immediately, review existing shares for malicious metadata, and audit custom templates for similar text/template misuse.
Details
- CWE(s)