CVE Catalog

CVE-2026-44542

Critical
Published: Translated: NVD NIST

Summary

FileBrowser Quantum prior to versions 1.3.1-stable and 1.3.9-beta has a vulnerability that allows an attacker to use attacker-controlled path input to escape the intended shared directory. As a result, an unauthenticated attacker with a valid public share hash and delete permissions can delete arbitrary files outside this directory.

Risk Assessment

The organization is at risk of unauthorized file deletion, which may lead to data loss and disruption of operations. Specifically, an attacker could delete files that are critical to system functionality.

Recommendation

It is recommended to upgrade to version 1.3.1-stable or 1.3.9-beta to mitigate this vulnerability. Additionally, conducting an audit of permissions for public shares is advisable to minimize the risk of unauthorized access.

Original NVD description (English source)

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete arbitrary files outside the shared directory within the share owner’s configured storage scope. This affects public/api/resources and public/api/resources/bulk. This vulnerability is fixed in 1.3.1-stable and 1.3.9-beta.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS