Golang/Github.com/Gtsteffaniak/Filebrowser

FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)

Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL.

FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info

The remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2.

FileBrowser Quantum: Password Protection Not Enforced on Shared File Links

When users share password-protected files, the recipient can completely bypass the password and still download the file.

Advisories for Golang/Github.com/Gtsteffaniak/Filebrowser package