PT-2026-38413 · Unknown · Filebrowser Quantum

Yesuhei

·

Published

2026-05-01

·

Updated

2026-06-25

·

CVE-2026-44542

CVSS v3.1

9.4

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Name of the Vulnerable Software and Affected Versions FileBrowser Quantum versions prior to 1.3.1-stable FileBrowser Quantum versions prior to 1.3.9-beta
Description Attacker-controlled path input is joined with a trusted base path before sanitization, enabling the use of traversal sequences such as ../ to escape the intended shared directory. An unauthenticated attacker with a valid public share hash and delete permissions can delete arbitrary files outside the shared directory within the storage scope of the share owner. This issue affects the 'public/api/resources' and 'public/api/resources/bulk' endpoints, specifically involving the path parameter.
Recommendations Update to version 1.3.1-stable. Update to version 1.3.9-beta.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-07993
CVE-2026-44542
GHSA-FWJ3-42WH-8673
GO-2026-5383

Affected Products

Filebrowser Quantum