Stored XSS Vulnerability in FileBrowser Quantum by GT Steffaniak
CVE-2026-30934

8.9HIGH

Key Information:

Vendor

Gtsteffaniak

Status
Filebrowser
Vendor
CVE Published:
10 March 2026

What is CVE-2026-30934?

FileBrowser Quantum, a self-hosted web-based file manager, is affected by a stored XSS vulnerability due to improper handling of share metadata fields. Versions before 1.3.1-beta and 1.2.2-stable do not use context-aware escaping when rendering HTML, which can allow attackers to inject malicious scripts. This poses a risk to users as these scripts can be executed when they access share URLs, making it crucial for users to update to the patched versions to mitigate this risk.

Affected Version(s)

filebrowser >= 1.3.0-beta, < 1.3.1-beta < 1.3.0-beta, 1.3.1-beta

filebrowser < 1.2.2-stable < 1.2.2-stable

References

https://github.com/gtsteffaniak/filebrowser/security/advi...
x_refsource_CONFIRM
https://github.com/gtsteffaniak/filebrowser/releases/tag/...
x_refsource_MISC
https://github.com/gtsteffaniak/filebrowser/releases/tag/...
x_refsource_MISC

CVSS V3.1

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.