Plataforma
go
Componente
github.com/filebrowser/filebrowser/v2
Corrigido em
2.62.3
2.62.2
CVE-2026-34530 describes a stored Cross-Site Scripting (XSS) vulnerability in File Browser v2. This vulnerability allows an administrator to inject malicious JavaScript into the SPA index page via admin-controlled branding fields, leading to persistent script execution for all visitors. The vulnerability impacts versions prior to 2.62.2 and has been addressed with a patch.
The impact of this XSS vulnerability is significant due to its persistent nature. An attacker who can modify the branding.name field can inject JavaScript that will execute for every user visiting the File Browser instance, including those who are not authenticated. This allows for a wide range of malicious activities, including session hijacking, defacement of the File Browser interface, redirection to phishing sites, and theft of sensitive data. The lack of proper escaping of branding fields in the http/static.go file, which uses text/template instead of the safer html/template, is the root cause of this vulnerability.
CVE-2026-34530 was publicly disclosed on 2026-03-31. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. Given the ease of exploitation (requiring only administrative access) and the potential impact, it is likely to become a target for attackers.
File Browser installations where administrators have access to modify branding settings are at risk. This includes shared hosting environments where multiple users may share a single File Browser instance and one administrator could compromise the entire system. Legacy File Browser deployments running older, unpatched versions are particularly vulnerable.
• linux / server: Examine File Browser configuration files for suspicious JavaScript code in the branding.name field. Use grep to search for potentially malicious payloads.
grep -r 'alert(' /path/to/filebrowser/config.yml• generic web: Monitor File Browser access logs for requests to modify the branding configuration. Look for unusual user agents or IP addresses.
curl -I http://your-filebrowser-instance/branding• wordpress / composer / npm: (Not applicable, as File Browser is not a WordPress plugin or Node.js package) • database (mysql, redis, mongodb, postgresql): (Not applicable, as File Browser does not directly store branding information in a database) • windows / supply-chain: (Not applicable, as File Browser is not a Windows application)
disclosure
Status do Exploit
EPSS
0.06% (percentil 19%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-34530 is to upgrade File Browser to version 2.62.2 or later, which includes the necessary fix. If upgrading immediately is not possible, consider restricting administrative access to the branding configuration fields. While not a complete solution, this can limit the potential attack surface. Monitor File Browser logs for unusual activity or attempts to modify branding fields. There are no specific WAF rules or detection signatures readily available, but monitoring for unusual JavaScript execution within the File Browser context is recommended.
Actualice File Browser a la versión 2.62.2 o superior. Esta versión corrige la vulnerabilidad de Cross-Site Scripting (XSS) almacenado. La actualización evitará que un administrador malicioso inyecte código JavaScript persistente que se ejecute para todos los visitantes.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-34530 is a Cross-Site Scripting (XSS) vulnerability in File Browser v2 that allows an administrator to inject malicious JavaScript via branding fields, impacting all users.
You are affected if you are running File Browser v2 prior to version 2.62.2 and an administrator has access to modify the branding configuration.
Upgrade File Browser to version 2.62.2 or later to remediate the vulnerability. Restricting administrative access to branding fields can provide a temporary mitigation.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the official File Browser security advisory on their GitHub repository for detailed information and updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo go.mod e descubra na hora se você está afetado.