GO-2026-4660 FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse) in github.com/gtsteffaniak/filebrowser

FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata text/template misuse in github.com/gtsteffaniak/filebrowser...

CVE-2026-30934 FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields e.g., title, description that are rendered into HTML for /public/share/ without context-aware escaping. The server uses text/template instead ...

CVE-2026-30934 FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields e.g., title, description that are rendered into HTML for /public/share/ without context-aware escaping. The server uses text/template instead ...

CVE-2026-30934

CVE-2026-30934 affects FileBrowser Quantum (self-hosted web-based file manager). Prior to versions 1.3.1-beta and 1.2.2-stable, a Stored XSS exists via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/. The server uses Go text/template instead of html...

GHSA-R633-FCGP-M532 FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)

Summary Stored XSS is possible via share metadata fields e.g., title, description that are rendered into HTML for /public/share/ without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. Details T...

FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)

Summary Stored XSS is possible via share metadata fields e.g., title, description that are rendered into HTML for /public/share/ without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. Details T...

CVE-2026-26336

Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories like WEB-INF via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files...

CVE-2026-26336

Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories like WEB-INF via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files...

CVE-2026-24045

Docmost is open-source collaborative wiki and documentation software. From 0.20.0 and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site Scripting XSS attacks...

CVE-2026-24045 Docmost Affected by Stored XSS in Public Share Page

Docmost is open-source collaborative wiki and documentation software. From 0.20.0 and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site Scripting XSS attacks...

CVE-2026-24045

Docmost 0.25.0 fixes a stored XSS on the public share page where page titles are inserted into meta and title tags without proper HTML escaping. Affected: Docmost prior to 0.25.0. Severity: high (CVSS 3.1 base 7.3). Impact: arbitrary JavaScript execution in the context of any user who opens a sha...

CVE-2026-24045 Docmost Affected by Stored XSS in Public Share Page

Docmost is open-source collaborative wiki and documentation software. From 0.20.0 and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site Scripting XSS attacks...

CVE-2026-24045 Docmost Affected by Stored XSS in Public Share Page

Docmost is open-source collaborative wiki and documentation software. From g and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site Scripting XSS attacks, whe...

PT-2026-7317

Name of the Vulnerable Software and Affected Versions Docmost versions prior to 0.25.0 Description Docmost is collaborative wiki and documentation software. The public share page functionality does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This...

CVE-2023-35155 XWiki Platform vulnerable to cross-site scripting in target parameter via share page by email

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. For instance, the following URL execute an alter on the browser:...

Nextcloud Server < 14.0.0, < 13.0.3, < 12.0.8 Session fixation on public share page (NC-SA-2018-013) - Linux

Nextcloud Server is prone to a session fixation vulnerability. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only if description...

Session fixation on public share page (NC-SA-2018-013)

A bug causing session fixation could potentially allow an attacker to obtain access to password protected shares...

SQL injection vulnerability in the create_share.php page of TreeHole's external link system

Treehole external chain system is a free and open source PHP external chain network disk system, support for seven cattle, local, remote three kinds of storage methods, support for multi-user system. Treehugger createshare.php page SQL injection vulnerability , because the program fails to filter...

Inaccessible page titles leaked by Share Page API

The Share Page API exposes a REST endpoint that is available to authenticated users of Confluence. It is possible for any user to share any page simply by specifying the corresponding numeric id and the resulting notification includes the title of the shared page. In particular, a user may obtain...

Inaccessible page titles leaked by Share Page API

The Share Page API exposes a REST endpoint that is available to authenticated users of Confluence. It is possible for any user to share any page simply by specifying the corresponding numeric id and the resulting notification includes the title of the shared page. In particular, a user may obtain...