cbcvebase.

Github.Com Gtsteffaniak Filebrowser Backend vulnerabilities

4 known vulnerabilities affecting github.com/gtsteffaniak_filebrowser_backend.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH3

Vulnerabilities

Page 1 of 1
CVE-2026-44542P2CRITICALCVSS 9.1≥ 0, < 0.0.0-20260518193514-28e9b81e438e2026-05-22
CVE-2026-44542 [CRITICAL] CWE-22 FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory ## Summary `publicPatchHandler` in `backend/http/public.go` joins user-controlled `fromPath` and `toPath` body fields with the trusted `d.share.Path` BEFORE the downstream sanitizer runs. Because `filepath.Join` collapses `..` segments during the join, the sanitizer
ghsa
CVE-2026-30933P3HIGHCVSS 7.1≥ 0, < 0.0.0-20260307130210-09713b32a5f62026-03-09
CVE-2026-30933 [HIGH] CWE-200 FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info ### Summary The remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2. ### Details The issue stems from two flaws: 1. Tokenized download URLs are written into the persist
ghsaosv
CVE-2026-27611P3HIGH≥ 0, < 0.0.0-20260221163904-dbcfba993b852026-02-25
CVE-2026-27611 [HIGH] CWE-200 FileBrowser Quantum: Password Protection Not Enforced on Shared File Links FileBrowser Quantum: Password Protection Not Enforced on Shared File Links ### Summary When users share password-protected files, the recipient can completely bypass the password and still download the file. ### Details This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password.
ghsaosv
CVE-2026-46410HIGH≥ 0, < 0.0.0-20260514154726-1802e12811352026-05-19
CVE-2026-46410 [HIGH] CWE-200 FileBrowser Quantum: unauthenticated user share share info FileBrowser Quantum: unauthenticated user share share info ### Impact Some sensitive info -- such as source and path can get exposed. ### Patches Update to the latest version ### Workarounds no
ghsa
Github.Com Gtsteffaniak Filebrowser Backend vulnerabilities | cvebase