Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30934 is a stored Cross-Site Scripting (XSS) vulnerability in FileBrowser Quantum, a web-based file manager. The issue occurs because the server renders public share pages using Go's text/template package instead of html/template, which does not perform context-aware HTML escaping."}, {'type': 'paragraph', 'content': 'This allows malicious scripts to be injected via share metadata fields such as title and description, which are stored persistently and rendered directly into HTML without proper sanitization. When a user visits the share URL, the injected script executes.'}, {'type': 'paragraph', 'content': 'The vulnerability affects versions prior to 1.3.1-beta and 1.2.2-stable and is classified under CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting).'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to arbitrary script execution within the application's origin when a victim visits a maliciously crafted share URL."}, {'type': 'list_item', 'content': 'Potential compromise of user accounts or sessions.'}, {'type': 'list_item', 'content': 'Execution of Cross-Site Request Forgery (CSRF)-like actions.'}, {'type': 'list_item', 'content': 'Exfiltration of sensitive data.'}, {'type': 'paragraph', 'content': 'The attack requires low privileges (the attacker must have share creation rights) and low complexity, with user interaction limited to visiting the malicious share URL.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing if the share metadata fields (such as title or description) in the /public/share/<hash> URL are vulnerable to stored Cross-Site Scripting (XSS). Specifically, you can create a share with a payload containing script tags in the metadata fields and then visit the share URL to see if the script executes.'}, {'type': 'paragraph', 'content': 'A proof of concept involves sending a POST request to /api/share with a title containing a script tag payload like `</title><script>alert("xss")</script><title>`. If the script executes when visiting the share URL, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'Commands to test this might include using curl or similar tools to create a share with malicious metadata, for example:'}, {'type': 'list_item', 'content': 'curl -X POST -H "Content-Type: application/json" -d \'{"title":"</title><script>alert(\\"xss\\")</script><title>", "path":"/some/path"}\' http://<filebrowser-server>/api/share'}, {'type': 'paragraph', 'content': 'Then visit the resulting /public/share/<hash> URL in a browser to check if the alert executes, indicating the presence of the stored XSS vulnerability.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade FileBrowser Quantum to version 1.3.1-beta or 1.2.2-stable or later, where this vulnerability has been fixed.

Until the upgrade is applied, restrict or disable the ability for users to create shares with metadata fields that could contain malicious scripts, or limit access to the /public/share/ URLs to trusted users only.

Additionally, monitor and audit share metadata fields for suspicious content that could indicate exploitation attempts.

Useful 0 Not Useful 0