VYPR

Filebrowser

by Gtsteffaniak

Source repositories

CVEs (6)

  • CVE-2026-48777CriJun 16, 2026
    risk 0.53cvss epss 0.00

    FileBrowser Quantum is a free, self-hosted, web-based file manager. Versions prior to 1.3.2-stable, 1.4.0-beta and 1.4.1-beta are vulnerable to Path Traversal through the publicPatchHandler in backend/http/public.go which joins user-controlled fromPath and toPath body fields…

  • CVE-2026-44542CriMay 14, 2026
    risk 0.52cvss 9.1epss 0.01

    FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As…

  • CVE-2026-46410higMay 19, 2026
    risk 0.39cvss epss 0.00

    ### Impact Some sensitive info -- such as source and path can get exposed. ### Patches Update to the latest version ### Workarounds no

  • CVE-2026-30934Mar 10, 2026
    risk 0.00cvss epss 0.00

    FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/ without context-aware escaping. The server…

  • CVE-2026-30933Mar 10, 2026
    risk 0.00cvss epss 0.01

    FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in…

  • CVE-2026-27611Feb 25, 2026
    risk 0.00cvss epss 0.00

    FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a…