2 matches found
CVE-2026-34530 File Browser is vulnerable to Stored Cross-Site Scripting via text/template branding injection
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA index page in File Browser is vulnerable to Stored Cross-Site Scripting XSS via admin-controlled branding fields. An admin who...
CVE-2026-34530
CVE-2026-34530 affects File Browser (pre-2.62.2) where the SPA index page renders admin-controlled branding fields using Go’s text/template, which is not HTML-escaped. An admin can set branding.name to a malicious payload, injecting persistent JavaScript that executes for all visitors, including ...