PT-2026-38413 · Unknown · Filebrowser Quantum
Yesuhei
·
Published
2026-05-01
·
Updated
2026-06-25
·
CVE-2026-44542
CVSS v3.1
9.4
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
FileBrowser Quantum versions prior to 1.3.1-stable
FileBrowser Quantum versions prior to 1.3.9-beta
Description
Attacker-controlled path input is joined with a trusted base path before sanitization, enabling the use of traversal sequences such as
../ to escape the intended shared directory. An unauthenticated attacker with a valid public share hash and delete permissions can delete arbitrary files outside the shared directory within the storage scope of the share owner. This issue affects the 'public/api/resources' and 'public/api/resources/bulk' endpoints, specifically involving the path parameter.Recommendations
Update to version 1.3.1-stable.
Update to version 1.3.9-beta.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Filebrowser Quantum