SB20260408141 - Multiple vulnerabilities in FileBrowser
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2026-34530)
The vulnerability allows a remote user to execute arbitrary script in victims' browsers.
The vulnerability exists due to cross-site scripting in the SPA index page branding template when rendering admin-controlled branding fields with Go's text/template. A remote privileged user can set a specially crafted branding value to execute arbitrary script in victims' browsers.
User interaction is required to load the affected page, and the injected script is stored persistently and can affect unauthenticated visitors.
2) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2026-34529)
The vulnerability allows a remote user to execute arbitrary script in a victim's browser.
The vulnerability exists due to cross-site scripting in EPUB file rendering when processing a crafted EPUB file. A remote user can upload a specially crafted EPUB file to execute arbitrary script in a victim's browser.
User interaction is required to open the crafted EPUB content.
3) Improper privilege management (CVE-ID: CVE-2026-34528)
The vulnerability allows a remote attacker to execute arbitrary commands on the server.
The vulnerability exists due to improper privilege management in the signupHandler and command execution authorization logic when processing self-registration and subsequent command execution requests. A remote attacker can self-register an account that inherits execution permissions and allowed commands to execute arbitrary commands on the server.
Exploitation requires public signup, server-side command execution, and default user settings that grant execute permission and populate an allowed commands list.
Remediation
Install update from vendor's website.