Main Vulnerability Database Vulnerabilities #VU125396

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in FileBrowser - CVE-2026-34530

Published: April 8, 2026

Vulnerability identifier: #VU125396

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-34530

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: File Browser

Affected software:
FileBrowser

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in victims' browsers.

The vulnerability exists due to cross-site scripting in the SPA index page branding template when rendering admin-controlled branding fields with Go's text/template. A remote privileged user can set a specially crafted branding value to execute arbitrary script in victims' browsers.

User interaction is required to load the affected page, and the injected script is stored persistently and can affect unauthenticated visitors.

How to mitigate CVE-2026-34530

Install security update from vendor's website.

Sources

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xfqj-3vmx-63wv

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in FileBrowser - CVE-2026-34530

Detailed vulnerability description

How to mitigate CVE-2026-34530

Sources

Please verify you're human