Impact
FileBrowser Quantum is a self-hosted web‑based file manager. The flaw exists in the publicPatchHandler, where the server concatenates user‑controlled fromPath and toPath fields with the shared directory path before the downstream sanitizer runs. Because Go’s filepath.Join collapses ".." segments during the join, the sanitizer never sees the traversal, allowing a move, copy, or rename operation to target a location outside the intended shared directory. This is a Path Traversal vulnerability, classified as CWE‑22. An attacker who can issue a PATCH request with appropriate body parameters and a public share link that permits modification can therefore relocate, duplicate, or delete files anywhere within the share owner’s source root. The impact is that confidential data can be exposed, corrupted, or removed, and the file system can be fundamentally altered.
Affected Systems
The vulnerability affects gtsteffaniak FileBrowser Quantum releases older than v1.3.2‑stable, v1.4.0‑beta, and v1.4.1‑beta. The issue was fixed in v1.3.3‑stable and v1.4.2‑beta. Versions identified as "prior to 1.3.2‑stable, 1.4.0‑beta and 1.4.1‑beta" are therefore vulnerable. The affected product is FileBrowser Quantum, a free, self‑hosted, web‑based file manager.
Risk and Exploitability
The CVSS score of 9.3 labels the flaw as critical. This Path Traversal vulnerability (CWE‑22) demonstrates that remote attackers can manipulate filesystem paths outside the intended boundary. The EPSS score of <1% indicates a low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a valid public share link that has AllowModify=true. Once such a link is known, an attacker can remotely perform arbitrary move, copy, or rename operations against the host’s filesystem. The attack vector is remote over HTTP(S) using the PATCH endpoint; no local user privilege or special conditions are required beyond the share link.
OpenCVE Enrichment
Github GHSA