CVE-2026-30934

Summary

FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse) in github.com/gtsteffaniak/filebrowser

Severity

medium

EPSS

0.3% (p26)

Also known as

GHSA-r633-fcgp-m532, GO-2026-4660

Published

2026-03-11

References

• https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532
• https://nvd.nist.gov/vuln/detail/CVE-2026-30934
• https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable

Related advisories

• CVE-2026-44542 — critical · Go/github.com/gtsteffaniak/filebrowser
• CVE-2026-46410 — high · Go/github.com/gtsteffaniak/filebrowser
• GHSA-mmpx-jh39-wrv6 — medium · Go/github.com/gtsteffaniak/filebrowser

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity