CVE-2026-44542

CRITICAL 9.1

FileBrowser Quantum: Unauthenticated Path Traversal in Public Share Delete Allows Arbitrary File Deletion

CVSS Score

9.1

EPSS Score

0.0%

EPSS Percentile

0th

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete arbitrary files outside the shared directory within the share owner’s configured storage scope. This affects public/api/resources and public/api/resources/bulk. This vulnerability is fixed in 1.3.1-stable and 1.3.9-beta.

CWE	CWE-22
Vendor	gtsteffaniak
Product	filebrowser
Published	May 14, 2026

Stay Ahead of the Next One

Get instant alerts for gtsteffaniak filebrowser

Be the first to know when new critical vulnerabilities affecting gtsteffaniak filebrowser are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Affected Versions

gtsteffaniak / filebrowser

< 1.3.1-stable < 1.3.9-beta

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-fwj3-42wh-8673