CVE-2026-30933
published 2026-03-10CVE-2026-30933: FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.54%
41.5th percentile
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filebrowser | filebrowser | <= 1.2.9 | — |
| filebrowser | filebrowser | — | — |
| filebrowser | filebrowser | — | — |
| github.com | gtsteffaniak_filebrowser_backend | >= 0 < 0.0.0-20260307130210-09713b32a5f6 | 0.0.0-20260307130210-09713b32a5f6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa7.1HIGH
osv7.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info in github.com/gtsteffaniak/filebrowser/backend
osv·2026-03-11
CVE-2026-30933 FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info in github.com/gtsteffaniak/filebrowser/backend
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info in github.com/gtsteffaniak/filebrowser/backend
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info in github.com/gtsteffaniak/filebrowser/backend
GHSA
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
ghsa·2026-03-09·CVSS 7.1
CVE-2026-30933 [HIGH] CWE-200 FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
### Summary
The remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2.
### Details
The issue stems from two flaws:
1. Tokenized download URLs are written into the persistent share model
```
backend/http/share.go
convertToFrontendShareResponse(line 63)
s.DownloadURL = getShareURL(r, s.Hash, true, s.Token)
```
2. The public endpoint:
```
GET /public/api/share/info
returns shareLink.CommonShare without clearing DownloadURL.
```
Since Token is set for password-protected shares, and getShareURL(..., true, token) embeds it as a query parameter, the public API discloses a valid b
OSV
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
osv·2026-03-09·CVSS 7.1
CVE-2026-30933 [HIGH] FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
### Summary
The remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2.
### Details
The issue stems from two flaws:
1. Tokenized download URLs are written into the persistent share model
```
backend/http/share.go
convertToFrontendShareResponse(line 63)
s.DownloadURL = getShareURL(r, s.Hash, true, s.Token)
```
2. The public endpoint:
```
GET /public/api/share/info
returns shareLink.CommonShare without clearing DownloadURL.
```
Since Token is set for password-protected shares, and getShareURL(..., true, token) embeds it as a query parameter, the public API discloses a valid b
No detection rules found.
No public exploits indexed.
2026-03-10
Published