vendor/filebrowser/browser.php: Filename parameter is unencoded which can lead to a potential XSS
First load a file on diag_edit.php and then save it with
');alert('XSS appended to the name, then browse and try to load the file.
In order to exploit this, the user must already have root access to the box to write a file, or write it themselves. There is no practical way to exploit this that would gain an attacker anything they couldn't get by other means with access to this page already. Still worth addressing.