GHSA-R633-FCGP-M532

Vulnerability from github – Published: 2026-03-09 19:48 – Updated: 2026-03-10 18:44
VLAI?
Summary
FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)
Details

Summary

Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL.

Details

The server renders public/index.html using text/template and injects user-controlled share fields (title/description/etc.) into HTML contexts. text/template does not perform HTML contextual escaping like html/template. Because share metadata is persistent, the payload becomes stored and executes whenever a victim opens the affected share page.

Relevant code paths: - backend/http/static.go (template rendering and share metadata assignment) - backend/http/httpRouter.go (template initialization) - frontend/public/index.html (insertion points for title/description and related fields)

PoC

  1. Login as a user with share creation permission.
  2. Create a share (POST /api/share) with malicious metadata:
  3. title = </title><script>alert("xss")</script><title>
  4. Open the resulting /public/share/<hash> URL in a browser.
  5. Expected: Payload is safely escaped and displayed as text.
  6. Actual: JavaScript executes in victim's browser (stored XSS).

Tested on Docker image: gtstef/filebrowser:stable (version v1.2.1-stable).

Impact

  • Arbitrary script execution in application origin.
  • Potential account/session compromise, CSRF-like action execution, data exfiltration from authenticated contexts.
  • Affects anyone (including unauthenticated visitors) opening the malicious share URL.
  • The XSS is stored and persistent — no social engineering beyond sharing the link is required.
Severity ?
8.9 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gtsteffaniak/filebrowser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260307130210-09713b32a5f6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30934"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-09T19:48:15Z",
    "nvd_published_at": "2026-03-10T18:18:53Z",
    "severity": "HIGH"
  },
  "details": "## Summary\nStored XSS is possible via share metadata fields (e.g., `title`, `description`) that are rendered into HTML for `/public/share/\u003chash\u003e` without context-aware escaping. The server uses `text/template` instead of `html/template`, allowing injected scripts to execute when victims visit the share URL.\n\n## Details\nThe server renders `public/index.html` using `text/template` and injects user-controlled share fields (title/description/etc.) into HTML contexts. `text/template` does not perform HTML contextual escaping like `html/template`. Because share metadata is persistent, the payload becomes stored and executes whenever a victim opens the affected share page.\n\nRelevant code paths:\n- `backend/http/static.go` (template rendering and share metadata assignment)\n- `backend/http/httpRouter.go` (template initialization)\n- `frontend/public/index.html` (insertion points for title/description and related fields)\n\n## PoC\n1. Login as a user with share creation permission.\n2. Create a share (`POST /api/share`) with malicious metadata:\n   - `title = \u003c/title\u003e\u003cscript\u003ealert(\"xss\")\u003c/script\u003e\u003ctitle\u003e`\n3. Open the resulting `/public/share/\u003chash\u003e` URL in a browser.\n4. **Expected:** Payload is safely escaped and displayed as text.\n5. **Actual:** JavaScript executes in victim\u0027s browser (stored XSS).\n\nTested on Docker image: `gtstef/filebrowser:stable` (version `v1.2.1-stable`).\n\n## Impact\n- Arbitrary script execution in application origin.\n- Potential account/session compromise, CSRF-like action execution, data exfiltration from authenticated contexts.\n- Affects anyone (including unauthenticated visitors) opening the malicious share URL.\n- The XSS is stored and persistent \u2014 no social engineering beyond sharing the link is required.",
  "id": "GHSA-r633-fcgp-m532",
  "modified": "2026-03-10T18:44:32Z",
  "published": "2026-03-09T19:48:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30934"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gtsteffaniak/filebrowser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.