Platform
go
Component
github.com/filebrowser/filebrowser/v2
Fixed in
2.62.3
2.62.2
CVE-2026-34530 describes a stored Cross-Site Scripting (XSS) vulnerability in File Browser v2. This vulnerability allows an administrator to inject malicious JavaScript into the SPA index page via admin-controlled branding fields, leading to persistent script execution for all visitors. The vulnerability impacts versions prior to 2.62.2 and has been addressed with a patch.
The impact of this XSS vulnerability is significant due to its persistent nature. An attacker who can modify the branding.name field can inject JavaScript that will execute for every user visiting the File Browser instance, including those who are not authenticated. This allows for a wide range of malicious activities, including session hijacking, defacement of the File Browser interface, redirection to phishing sites, and theft of sensitive data. The lack of proper escaping of branding fields in the http/static.go file, which uses text/template instead of the safer html/template, is the root cause of this vulnerability.
CVE-2026-34530 was publicly disclosed on 2026-03-31. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. Given the ease of exploitation (requiring only administrative access) and the potential impact, it is likely to become a target for attackers.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34530 is to upgrade File Browser to version 2.62.2 or later, which includes the necessary fix. If upgrading immediately is not possible, consider restricting administrative access to the branding configuration fields. While not a complete solution, this can limit the potential attack surface. Monitor File Browser logs for unusual activity or attempts to modify branding fields. There are no specific WAF rules or detection signatures readily available, but monitoring for unusual JavaScript execution within the File Browser context is recommended.
Update File Browser to version 2.62.2 or higher. This version fixes the Stored Cross-site Scripting (XSS) vulnerability. The update will prevent a malicious administrator from injecting persistent JavaScript code that executes for all visitors.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34530 is a Cross-Site Scripting (XSS) vulnerability in File Browser v2 that allows an administrator to inject malicious JavaScript via branding fields, impacting all users.
You are affected if you are running File Browser v2 prior to version 2.62.2 and an administrator has access to modify the branding configuration.
Upgrade File Browser to version 2.62.2 or later to remediate the vulnerability. Restricting administrative access to branding fields can provide a temporary mitigation.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the official File Browser security advisory on their GitHub repository for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.