CVE-2026-30934 is a stored cross-site scripting vulnerability identified in the FileBrowser Quantum product, a free, self-hosted, web-based file manager developed by gtsteffaniak. The vulnerability exists in versions prior to 1.3.1-beta and 1.2.2-stable. The root cause is improper neutralization of input during web page generation (CWE-79), specifically in the rendering of share metadata fields such as title and description on the /public/share/<hash> endpoint. The server uses Go's text/template package instead of the safer html/template package, which lacks context-aware escaping for HTML content. This allows an attacker with at least low privileges to inject malicious JavaScript code into these metadata fields. When a victim visits the crafted share URL, the injected script executes in their browser context, potentially stealing cookies, session tokens, or performing actions on behalf of the user. The vulnerability requires user interaction (visiting the malicious URL) and low privileges to inject the payload, but can lead to high confidentiality and integrity impacts, including account compromise or data theft. The CVSS v3.1 score is 8.9 (high), reflecting network attack vector, low attack complexity, low privileges required, user interaction needed, and scope change due to cross-origin impact. No known exploits in the wild have been reported yet. The issue is resolved in FileBrowser Quantum versions 1.3.1-beta and 1.2.2-stable by switching to proper context-aware escaping. This vulnerability highlights the importance of using secure templating engines and sanitizing user input in web applications.

The impact of CVE-2026-30934 is significant for organizations using vulnerable versions of FileBrowser Quantum. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim's browser when they access a shared link, leading to theft of sensitive information such as authentication tokens, session cookies, or personal data. This can result in unauthorized access to user accounts, data exfiltration, and further lateral movement within the organization’s environment. The integrity of data can be compromised by malicious script actions, such as modifying displayed content or triggering unauthorized operations. Availability impact is limited but could occur if attackers use the vulnerability to perform denial-of-service attacks via script execution. Since FileBrowser Quantum is often self-hosted and used to manage sensitive files, the breach of confidentiality and integrity poses a critical risk. The vulnerability also undermines user trust in shared links and may lead to reputational damage. Organizations with external-facing FileBrowser instances are particularly at risk, especially if users are tricked into visiting maliciously crafted share URLs.

To mitigate CVE-2026-30934, organizations should immediately upgrade FileBrowser Quantum to versions 1.3.1-beta or 1.2.2-stable where the vulnerability is fixed. If upgrading is not immediately possible, implement strict input validation and sanitization on share metadata fields to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the shared URLs. Review and audit all existing shared links for suspicious or unexpected metadata content. Limit the exposure of the /public/share/ endpoint by restricting access to trusted users or networks where feasible. Educate users about the risks of clicking on untrusted shared links. Additionally, monitor logs for unusual activity related to share URLs and consider deploying web application firewalls (WAFs) with rules to detect and block XSS payloads targeting this endpoint. Finally, developers should ensure the use of context-aware templating engines like html/template in Go to prevent similar vulnerabilities in future releases.