CVE-2026-30934 - Vulnerability Analysis

Overview

FileBrowser Quantum < 1.3.1-beta and < 1.2.2-stable contains a stored XSS caused by improper escaping of share metadata fields in /public/share/<hash>, letting attackers execute scripts when victims visit the share URL, exploit requires victim to visit malicious share link.

Severity & Score

Impact

Attackers can execute arbitrary scripts in victims' browsers, potentially stealing cookies or performing actions on their behalf.

Mitigation

Update to versions 1.3.1-beta or 1.2.2-stable or later.

References

• https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable
• https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta
• https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 10, 2026

🟠 CVE-2026-30934 - High (8.9) FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/ without context-aw... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30934/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner