PT-2026-47627 · Gtsteffaniak+1 · Filebrowser+1
Published
2026-05-22
·
Updated
2026-06-16
·
CVE-2026-48777
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
FileBrowser Quantum versions prior to 1.3.3-stable
FileBrowser Quantum versions prior to 1.4.2-beta
Description
Path Traversal is possible through the
publicPatchHandler function in backend/http/public.go. The issue occurs because the software joins user-controlled fromPath and toPath body fields with the trusted d.share.Path before the downstream sanitizer runs. Since filepath.Join collapses .. segments during this process, the sanitizer in resourcePatchHandler does not detect the traversal, allowing move, copy, or rename operations on paths outside the shared directory.An unauthenticated attacker with a public share link where
AllowModify=true can exploit this to move, copy, or rename arbitrary files within the share owner's source root. This can lead to the exfiltration of private files by renaming them into the shared directory or tampering with files the share owner has write access to.Recommendations
Update to version 1.3.3-stable.
Update to version 1.4.2-beta.
As a temporary workaround, restrict the use of public share links with
AllowModify=true until the update is applied.Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Filebrowser
Github.Com/Gtsteffaniak/Filebrowser/Backend