A cross-site scripting (XSS) vulnerability was discovered through which files with specially-crafted filenames could lead to JavaScript execution if file transfer is enabled to a location which is shared by multiple users, and the filename is displayed within the file browser located within the Guacamole menu.
Acknowledgements: We would like to thank Niv Levy for reporting this issue.