Github.Com Gtsteffaniak Filebrowser vulnerabilities
3 known vulnerabilities affecting github.com/gtsteffaniak_filebrowser.
Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2
Vulnerabilities
Page 1 of 1
CVE-2026-44542P2CRITICAL≥ 0, < 0.0.0-20260501183844-112740bdd41d2026-05-07
CVE-2026-44542 [CRITICAL] CWE-22 FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion
FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion
### **Summary**
Attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with
ghsa
CVE-2026-30934P4HIGH≥ 0, < 0.0.0-20260307130210-09713b32a5f62026-03-09
CVE-2026-30934 [HIGH] CWE-79 FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)
FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)
## Summary
Stored XSS is possible via share metadata fields (e.g., `title`, `description`) that are rendered into HTML for `/public/share/` without context-aware escaping. The server uses `text/template` instead of `html/template`, allowing injected script
ghsaosv
CVE-2026-46410HIGH≥ 0, < 1.2.1-stable.0.20260514154726-1802e12811352026-05-19
CVE-2026-46410 [HIGH] CWE-200 FileBrowser Quantum: unauthenticated user share share info
FileBrowser Quantum: unauthenticated user share share info
### Impact
Some sensitive info -- such as source and path can get exposed.
### Patches
Update to the latest version
### Workarounds
no
ghsa