NIXPKGS-2026-0940
GitHub issue
published on
Permalink
CVE-2026-34530
6.9 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): HIGH
- User interaction (UI): REQUIRED
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): LOW
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created automatic suggestion
- @LeSuisse removed package filebrowser-quantum
- @LeSuisse removed package python312Packages.filebrowser-safe
- @LeSuisse removed package python313Packages.filebrowser-safe
- @LeSuisse removed package python314Packages.filebrowser-safe
- @LeSuisse accepted
- @LeSuisse published on GitHub
File Browser is vulnerable to Stored Cross-Site Scripting via text/template branding injection
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA index page in File Browser is vulnerable to Stored Cross-Site Scripting (XSS) via admin-controlled branding fields. An admin who sets branding.name to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users. This issue has been patched in version 2.62.2.
References
-
https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2 x_refsource_MISC
Affected products
filebrowser
- ==< 2.62.2
Matching in nixpkgs
Ignored packages (4)
pkgs.filebrowser-quantum
Access and manage your files from the web
-
nixos-unstable 1.2.2-stable
- nixpkgs-unstable 1.2.2-stable
- nixos-unstable-small 1.2.2-stable
pkgs.python312Packages.filebrowser-safe
Snapshot of django-filebrowser for the Mezzanine CMS
pkgs.python313Packages.filebrowser-safe
Snapshot of django-filebrowser for the Mezzanine CMS
pkgs.python314Packages.filebrowser-safe
Snapshot of django-filebrowser for the Mezzanine CMS
Package maintainers
-
@HritwikSinghal Hritwik Singhal <nix@thorin.theoakenshield.com>