Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0625

NIXPKGS-2026-0625
published on
Permalink CVE-2026-30934
8.9 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): LOW
updated 3 weeks, 1 day ago by @mweinelt Activity log
  • Created automatic suggestion 3 weeks, 1 day ago
  • @mweinelt removed package filebrowser 3 weeks, 1 day ago
  • @mweinelt removed package python312Packages.filebrowser-safe 3 weeks, 1 day ago
  • @mweinelt removed package python313Packages.filebrowser-safe 3 weeks, 1 day ago
  • @mweinelt removed package python314Packages.filebrowser-safe 3 weeks, 1 day ago
  • @mweinelt accepted 3 weeks, 1 day ago
  • @mweinelt published on GitHub 3 weeks, 1 day ago
FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.

Affected products

filebrowser
  • ==>= 1.3.0-beta, < 1.3.1-beta
  • ==< 1.2.2-stable

Matching in nixpkgs

Package maintainers

https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532