CVE-2026-27611
FileBrowser Quantum: Password Protection Not Enforced on Shared File Links
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue.
| CWE | CWE-200 CWE-288 CWE-287 |
| Vendor | gtsteffaniak |
| Product | filebrowser |
| Published | Feb 25, 2026 |
| Last Updated | Feb 27, 2026 |
Stay Ahead of the Next One
Get instant alerts for gtsteffaniak filebrowser
Be the first to know when new unknown vulnerabilities affecting gtsteffaniak filebrowser are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
gtsteffaniak / filebrowser
< 1.1.3-stable >= 1.2.0-beta, < 1.2.6-beta