Description
FileBrowser Quantum is a free, self-hosted, web-based file manager. Versions prior to 1.3.2-stable, 1.4.0-beta and 1.4.1-beta are vulnerable to Path Traversal through the publicPatchHandler in backend/http/public.go which joins user-controlled fromPath and toPath body fields with the trusted d.share.Path BEFORE the downstream sanitizer runs. Because filepath.Join collapses .. segments during the join, the sanitizer in resourcePatchHandler never sees the traversal and the move/copy/rename operates on a path outside the shared directory. The same root-cause pattern was patched for the bulk DELETE endpoint as CVE-2026-44542 (GHSA-fwj3-42wh-8673), but the PATCH handler with the identical pattern was not updated. A public share link with AllowModify=true is sufficient to exploit this. Anyone holding such a link can move, copy, or rename arbitrary files within the share owner's source root. This issue has been fixed in versions 1.3.3-stable and 1.4.2-beta.
Published: 2026-06-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FileBrowser Quantum is a self-hosted web‑based file manager. The flaw exists in the publicPatchHandler, where the server concatenates user‑controlled fromPath and toPath fields with the shared directory path before the downstream sanitizer runs. Because Go’s filepath.Join collapses ".." segments during the join, the sanitizer never sees the traversal, allowing a move, copy, or rename operation to target a location outside the intended shared directory. This is a Path Traversal vulnerability, classified as CWE‑22. An attacker who can issue a PATCH request with appropriate body parameters and a public share link that permits modification can therefore relocate, duplicate, or delete files anywhere within the share owner’s source root. The impact is that confidential data can be exposed, corrupted, or removed, and the file system can be fundamentally altered.

Affected Systems

The vulnerability affects gtsteffaniak FileBrowser Quantum releases older than v1.3.2‑stable, v1.4.0‑beta, and v1.4.1‑beta. The issue was fixed in v1.3.3‑stable and v1.4.2‑beta. Versions identified as "prior to 1.3.2‑stable, 1.4.0‑beta and 1.4.1‑beta" are therefore vulnerable. The affected product is FileBrowser Quantum, a free, self‑hosted, web‑based file manager.

Risk and Exploitability

The CVSS score of 9.3 labels the flaw as critical. This Path Traversal vulnerability (CWE‑22) demonstrates that remote attackers can manipulate filesystem paths outside the intended boundary. The EPSS score of <1% indicates a low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a valid public share link that has AllowModify=true. Once such a link is known, an attacker can remotely perform arbitrary move, copy, or rename operations against the host’s filesystem. The attack vector is remote over HTTP(S) using the PATCH endpoint; no local user privilege or special conditions are required beyond the share link.

Generated by OpenCVE AI on June 18, 2026 at 00:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to FileBrowser Quantum v1.3.3‑stable, v1.4.2‑beta, or a later release that contains the path traversal fix.
  • Revoke any public share links that grant modify permissions or change them to read‑only if modification rights are unnecessary.
  • Confirm that the underlying filesystem permissions restrict the share owner’s source root to only the intended files and directories, limiting the impact if the flaw were still present.
  • Validate that any user‑supplied paths are properly sanitized and that the application enforces boundaries, addressing the CWE‑22 Path Traversal flaw.

Generated by OpenCVE AI on June 18, 2026 at 00:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qqqm-5547-774x FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory
History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Gtsteffaniak
Gtsteffaniak filebrowser
Vendors & Products Gtsteffaniak
Gtsteffaniak filebrowser

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description FileBrowser Quantum is a free, self-hosted, web-based file manager. Versions prior to 1.3.2-stable, 1.4.0-beta and 1.4.1-beta are vulnerable to Path Traversal through the publicPatchHandler in backend/http/public.go which joins user-controlled fromPath and toPath body fields with the trusted d.share.Path BEFORE the downstream sanitizer runs. Because filepath.Join collapses .. segments during the join, the sanitizer in resourcePatchHandler never sees the traversal and the move/copy/rename operates on a path outside the shared directory. The same root-cause pattern was patched for the bulk DELETE endpoint as CVE-2026-44542 (GHSA-fwj3-42wh-8673), but the PATCH handler with the identical pattern was not updated. A public share link with AllowModify=true is sufficient to exploit this. Anyone holding such a link can move, copy, or rename arbitrary files within the share owner's source root. This issue has been fixed in versions 1.3.3-stable and 1.4.2-beta.
Title FileBrowser Quantum: Path Traversal in public share PATCH allows file ops outside shared directory
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Gtsteffaniak Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-17T14:45:51.660Z

Reserved: 2026-05-22T20:18:20.364Z

Link: CVE-2026-48777

cve-icon Vulnrichment

Updated: 2026-06-17T14:45:38.857Z

cve-icon NVD

Status : Deferred

Published: 2026-06-16T20:16:46.583

Modified: 2026-06-16T20:45:06.307

Link: CVE-2026-48777

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T00:15:03Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')