VYPR
Critical severity9.1GHSA Advisory· Published May 14, 2026· Updated May 15, 2026

CVE-2026-44542

CVE-2026-44542

Description

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete arbitrary files outside the shared directory within the share owner’s configured storage scope. This affects public/api/resources and public/api/resources/bulk. This vulnerability is fixed in 1.3.1-stable and 1.3.9-beta.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/gtsteffaniak/filebrowserGo
< 0.0.0-20260501183844-112740bdd41d0.0.0-20260501183844-112740bdd41d

Affected products

4
  • < 0.0.0-20260501183844-112740bdd41d+ 2 more
    • (no CPE)range: < 0.0.0-20260501183844-112740bdd41d
    • cpe:2.3:a:gtsteffaniak:filebrowser_quantum:*:-:*:*:*:*:*:*range: <1.3.1
    • cpe:2.3:a:gtsteffaniak:filebrowser_quantum:*:beta:*:*:*:*:*:*range: <1.3.9
  • ghsa-coords
    Range: < 0.0.0-20260501183844-112740bdd41d

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.