NIXPKGS-2026-0940

GitHub issue published on

Permalink CVE-2026-34530

6.9 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): High (H)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): High (H)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

updated 1 month, 3 weeks ago by @LeSuisse Activity log

Created suggestion 1 month, 3 weeks ago
@LeSuisse ignored
4 packages
- filebrowser-quantum
- python312Packages.filebrowser-safe
- python313Packages.filebrowser-safe
- python314Packages.filebrowser-safe
1 month, 3 weeks ago
@LeSuisse accepted 1 month, 3 weeks ago
@LeSuisse published on GitHub 1 month, 3 weeks ago

File Browser is vulnerable to Stored Cross-Site Scripting via text/template branding injection

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA index page in File Browser is vulnerable to Stored Cross-Site Scripting (XSS) via admin-controlled branding fields. An admin who sets branding.name to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users. This issue has been patched in version 2.62.2.

References

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xfqj-3vmx-63wv x_refsource_CONFIRM
https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2 x_refsource_MISC

Affected products

filebrowser

==< 2.62.2

Matching in nixpkgs

pkgs.filebrowser

Filebrowser is a web application for managing files and directories

nixos-unstable 2.61.2
- nixpkgs-unstable 2.61.2
- nixos-unstable-small 2.61.2
nixos-25.11 2.61.2
- nixos-25.11-small 2.61.2
- nixpkgs-25.11-darwin 2.61.2

Ignored packages (4)

pkgs.filebrowser-quantum

Access and manage your files from the web

nixos-unstable 1.2.2-stable
- nixpkgs-unstable 1.2.2-stable
- nixos-unstable-small 1.2.2-stable

pkgs.python312Packages.filebrowser-safe

Snapshot of django-filebrowser for the Mezzanine CMS

nixos-25.11 1.1.1
- nixos-25.11-small 1.1.1
- nixpkgs-25.11-darwin 1.1.1

pkgs.python313Packages.filebrowser-safe

Snapshot of django-filebrowser for the Mezzanine CMS

nixos-unstable 1.1.1
- nixpkgs-unstable 1.1.1
- nixos-unstable-small 1.1.1
nixos-25.11 1.1.1
- nixos-25.11-small 1.1.1
- nixpkgs-25.11-darwin 1.1.1

pkgs.python314Packages.filebrowser-safe

Snapshot of django-filebrowser for the Mezzanine CMS

nixos-unstable 1.1.1
- nixpkgs-unstable 1.1.1
- nixos-unstable-small 1.1.1

Package maintainers

@HritwikSinghal Hritwik Singhal <nix@thorin.theoakenshield.com>

Advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xfqj-3vmx-63wv

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0940

References

Affected products

Matching in nixpkgs

pkgs.filebrowser

pkgs.filebrowser-quantum

pkgs.python312Packages.filebrowser-safe

pkgs.python313Packages.filebrowser-safe

pkgs.python314Packages.filebrowser-safe

Package maintainers