cbcvebase.
CVE-2026-34530
published 2026-04-01

CVE-2026-34530: File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version…

PriorityP429medium6.9CVSS 3.1
AVNACLPRHUIRSCCHILAN
EPSS
0.36%
27.5th percentile
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA index page in File Browser is vulnerable to Stored Cross-Site Scripting (XSS) via admin-controlled branding fields. An admin who sets branding.name to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users. This issue has been patched in version 2.62.2.

Affected

2 ranges
VendorProductVersion rangeFixed in
filebrowserfilebrowser< 2.62.22.62.2
github.comfilebrowser_filebrowser_v2>= 0 < 2.62.22.62.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.