Description
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete arbitrary files outside the shared directory within the share owner’s configured storage scope. This affects public/api/resources and public/api/resources/bulk. This vulnerability is fixed in 1.3.1-stable and 1.3.9-beta.
Published: 2026-05-14
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FileBrowser Quantum allows an unauthenticated attacker to delete arbitrary files that lie outside the intended shared directory. The flaw results from attacker‑controlled path input being joined with a trusted base path before sanitization, enabling traversal sequences such as "../" to escape the public share’s directory. When a public share hash with delete permission is available, the attacker can target any file within the share owner’s configured storage scope, effectively erasing critical data and potentially disrupting service availability. The underlying weakness is a path‑traversal flaw, which jeopardizes data integrity and availability.

Affected Systems

FileBrowser Quantum versions prior to 1.3.1‑stable and 1.3.9‑beta are impacted. The vulnerability applies to endpoints public/api/resources and public/api/resources/bulk, which process file deletion requests. Users running the affected releases should verify that a valid public share hash with delete permission is configured, as this is required for the exploit to succeed.

Risk and Exploitability

The CVSS score of 9.1 classifies this issue as critical. While EPSS data is unavailable, the absence of a KEV listing does not reduce its severity; the attack can be performed by an unauthenticated actor merely by possessing a public share hash, a scenario that frequently occurs when shares are publicly configurable. The vulnerability requires no authentication, only a share hash, and the required traversal is straightforward. Consequently, the risk to systems that host public shares with delete permission is high and remediation is urgent.

Generated by OpenCVE AI on May 14, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to FileBrowser Quantum version 1.3.1‑stable or 1.3.9‑beta to eliminate the path traversal flaw.
  • If an upgrade cannot be performed immediately, disable delete permissions on public shares to prevent arbitrary file deletions.
  • Verify that file paths are properly sanitized and audit public API endpoints to ensure no residual misuse remains.

Generated by OpenCVE AI on May 14, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fwj3-42wh-8673 FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion
History

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Gtsteffaniak filebrowser Quantum
CPEs cpe:2.3:a:gtsteffaniak:filebrowser_quantum:*:-:*:*:*:*:*:*
cpe:2.3:a:gtsteffaniak:filebrowser_quantum:*:beta:*:*:*:*:*:*
Vendors & Products Gtsteffaniak filebrowser Quantum

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Gtsteffaniak
Gtsteffaniak filebrowser
Vendors & Products Gtsteffaniak
Gtsteffaniak filebrowser

Thu, 14 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete arbitrary files outside the shared directory within the share owner’s configured storage scope. This affects public/api/resources and public/api/resources/bulk. This vulnerability is fixed in 1.3.1-stable and 1.3.9-beta.
Title FileBrowser Quantum: Unauthenticated Path Traversal in Public Share Delete Allows Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Gtsteffaniak Filebrowser Filebrowser Quantum
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T15:03:11.944Z

Reserved: 2026-05-06T19:38:10.567Z

Link: CVE-2026-44542

cve-icon Vulnrichment

Updated: 2026-05-15T14:59:49.854Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T18:16:50.157

Modified: 2026-05-15T18:09:04.607

Link: CVE-2026-44542

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T18:45:26Z

Weaknesses