{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0"
              },
              {
                "last_affected": "1.2.9"
              },
              {
                "introduced": "0"
              },
              {
                "last_affected": "1.2.1-stable"
              }
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "6b8a65382f0787968eb2275de4f574a68e13e0b4"
            },
            {
              "introduced": "0"
            },
            {
              "last_affected": "4c8b1188484f994a0d287435150cf3d58f3dc0f3"
            }
          ],
          "repo": "https://github.com/filebrowser/filebrowser",
          "type": "GIT"
        }
      ]
    },
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "1.3.0-beta"
              },
              {
                "fixed": "1.3.1-beta"
              }
            ]
          },
          "events": [
            {
              "introduced": "e4907225a1ac0be759245417ac4d5289539f2cea"
            },
            {
              "fixed": "9d6e429a38be5f4d95476e2d272d6cdff7bcb784"
            }
          ],
          "repo": "https://github.com/gtsteffaniak/filebrowser",
          "type": "GIT"
        },
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0"
              },
              {
                "fixed": "1.2.2-stable"
              }
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "09713b32a5f6e369a5197319749a12b8e7fd5f2b"
            }
          ],
          "repo": "https://github.com/gtsteffaniak/filebrowser",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-r633-fcgp-m532"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30934.json"
  },
  "details": "FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/\u003chash\u003e without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.",
  "id": "CVE-2026-30934",
  "modified": "2026-04-01T23:09:18.022603014Z",
  "published": "2026-03-10T16:12:23.434Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30934.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30934"
    }
  ],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)"
}