CVE-2026-44542
published 2026-05-14CVE-2026-44542: FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a…
PriorityP265critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
0.52%
40.4th percentile
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete arbitrary files outside the shared directory within the share owner’s configured storage scope. This affects public/api/resources and public/api/resources/bulk. This vulnerability is fixed in 1.3.1-stable and 1.3.9-beta.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gtsteffaniak_filebrowser | >= 0 < 0.0.0-20260501183844-112740bdd41d | 0.0.0-20260501183844-112740bdd41d |
| github.com | gtsteffaniak_filebrowser_backend | >= 0 < 0.0.0-20260518193514-28e9b81e438e | 0.0.0-20260518193514-28e9b81e438e |
| gtsteffaniak | filebrowser | < 1.3.3-stable | 1.3.3-stable |
| gtsteffaniak | filebrowser | — | — |
| gtsteffaniak | filebrowser_quantum | < 1.3.1 | 1.3.1 |
| gtsteffaniak | filebrowser_quantum | < 1.3.9 | 1.3.9 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
ghsa9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory
ghsa·2026-05-22·CVSS 9.1
CVE-2026-44542 [CRITICAL] CWE-22 FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory
FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory
## Summary
`publicPatchHandler` in `backend/http/public.go` joins user-controlled `fromPath` and `toPath` body fields with the trusted `d.share.Path` BEFORE the downstream sanitizer runs. Because `filepath.Join` collapses `..` segments during the join, the sanitizer in `resourcePatchHandler` never sees the traversal and the move/copy/rename operates on a path outside the shared directory. The same root-cause pattern was patched for the bulk DELETE endpoint as CVE-2026-44542 (GHSA-fwj3-42wh-8673), but the PATCH handler with the identical pattern was not updated.
A public share link with `AllowModify=true` is sufficient to exploit this. Anyone holding such a link can move, copy, or rename ar
VulDB
gtsteffaniak filebrowser up to 1.3.0/1.3.8 path traversal
vuldb·2026-05-14·CVSS 9.1
CVE-2026-44542 [CRITICAL] gtsteffaniak filebrowser up to 1.3.0/1.3.8 path traversal
A vulnerability classified as critical has been found in gtsteffaniak filebrowser up to 1.3.0/1.3.8. This affects an unknown function. This manipulation causes path traversal.
This vulnerability appears as CVE-2026-44542. The attack may be initiated remotely. There is no available exploit.
It is recommended to upgrade the affected component.
GHSA
FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion
ghsa·2026-05-07
CVE-2026-44542 [CRITICAL] CWE-22 FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion
FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion
### **Summary**
Attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete arbitrary files outside the shared directory within the share owner’s configured storage scope.
### **Affected Components**
**Two distinct vulnerable code paths:**
1. Stable versions (e.g., gtstef/filebrowser:stable)
`DELETE /public/api/resources?hash=&path=../victim`
Root cause: middleware.go:111
Issue: path query parameter is joined before SanitizeUserPath()
2. Development / HEAD (e.g
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-14
Published