Skip to main content

FileBrowser Quantum CVE-2026-48777

| EUVD-2026-37207 CRITICAL
Path Traversal (CWE-22)
2026-06-16 GitHub_M GHSA-qqqm-5547-774x
Path Traversal Filebrowser
9.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.1 CRITICAL

Network-reachable public share endpoint, no auth required when AllowModify share exists (PR:N), arbitrary file move/copy yields high integrity and effective confidentiality impact; no direct availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 16, 2026 - 19:49 vuln.today
Analysis Generated
Jun 16, 2026 - 19:49 vuln.today

DescriptionCVE.org

FileBrowser Quantum is a free, self-hosted, web-based file manager. Versions prior to 1.3.2-stable, 1.4.0-beta and 1.4.1-beta are vulnerable to Path Traversal through the publicPatchHandler in backend/http/public.go which joins user-controlled fromPath and toPath body fields with the trusted d.share.Path BEFORE the downstream sanitizer runs. Because filepath.Join collapses .. segments during the join, the sanitizer in resourcePatchHandler never sees the traversal and the move/copy/rename operates on a path outside the shared directory. The same root-cause pattern was patched for the bulk DELETE endpoint as CVE-2026-44542 (GHSA-fwj3-42wh-8673), but the PATCH handler with the identical pattern was not updated. A public share link with AllowModify=true is sufficient to exploit this. Anyone holding such a link can move, copy, or rename arbitrary files within the share owner's source root. This issue has been fixed in versions 1.3.3-stable and 1.4.2-beta.

AnalysisAI

Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta allows holders of a public share link with AllowModify=true to move, copy, or rename arbitrary files within the share owner's source root by abusing the publicPatchHandler in backend/http/public.go. The flaw stems from filepath.Join collapsing ../ segments BEFORE the SanitizeUserPath check runs, an identical pattern to the previously patched DELETE endpoint (CVE-2026-44542). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover public share URL with AllowModify=true
Delivery
Craft PATCH JSON with ../ in fromPath/toPath
Exploit
Send request to publicPatchHandler endpoint
Execution
filepath.Join collapses traversal, sanitizer passes
Persist
Server moves/copies/renames file outside share root
Impact
Exfiltrate relocated file via public share or destroy original
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires three concrete conditions: (1) the target FileBrowser Quantum instance must have at least one public share whose AllowModify flag is set to true; (2) the attacker must possess (or guess/obtain) the share's URL hash - no account credentials are needed; (3) the deployment must use the default DenyByDefault=false access policy so the share owner's substituted permissions broadly permit operations on the source root. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N with VC:H/VI:H scores 9.3 (Critical) and accurately reflects that exploitation requires only network reachability to a share link - no authentication, no user interaction, and low complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains or guesses a public share link for a FileBrowser Quantum instance where the owner enabled AllowModify=true (a common setting for collaborative shares). The attacker sends an HTTP PATCH to the public share endpoint with a JSON body containing items[].fromPath like '../../etc/secret.conf' and items[].toPath pointing inside the shared directory, causing filepath.Join to collapse the traversal and the server to move the owner's sensitive file into the publicly-readable share - exposing it for download or destroying its original location. …
Remediation Vendor-released patch: upgrade to 1.3.3-stable (https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.3-stable) or 1.4.2-beta (https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.4.2-beta), which sanitize fromPath/toPath before joining with the share root. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all FileBrowser Quantum instances and identify those running versions prior to 1.3.2-stable; immediately disable AllowModify permissions on all public share links or suspend public sharing capability. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48777 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy