CVE-2026-44542
Description
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete arbitrary files outside the shared directory within the share owner’s configured storage scope. This affects public/api/resources and public/api/resources/bulk. This vulnerability is fixed in 1.3.1-stable and 1.3.9-beta.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gtsteffaniak/filebrowserGo | < 0.0.0-20260501183844-112740bdd41d | 0.0.0-20260501183844-112740bdd41d |
Affected products
4< 0.0.0-20260501183844-112740bdd41d+ 2 more
- (no CPE)range: < 0.0.0-20260501183844-112740bdd41d
- cpe:2.3:a:gtsteffaniak:filebrowser_quantum:*:-:*:*:*:*:*:*range: <1.3.1
- cpe:2.3:a:gtsteffaniak:filebrowser_quantum:*:beta:*:*:*:*:*:*range: <1.3.9
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.