277 matches found
CVE-2026-30933
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and...
SUSE CVE-2026-30933
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and...
SUSE CVE-2026-30934
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields e.g., title, description that are rendered into HTML for /public/share/ without context-aware escaping. The server uses text/template instead ...
Timing Attack
Overview Affected versions of this package are vulnerable to Timing Attack via the Auth function in the authentication. An attacker can determine the existence of valid usernames by measuring differences in authentication response times. Remediation Upgrade...
GHSA-7789-65HX-F26W FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel
Summary The /api/auth/login authentication endpoint does not execute in constant time. When a non-existent username is supplied, the server returns a 401/403 response almost immediately. When a valid username is provided, the server performs a bcrypt password comparison, causing a measurable dela...
Authorization Bypass Through User-Controlled Key
Overview github.com/filebrowser/filebrowser/v2/http is a web file browser. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the public share links when they retain share privileges share=true. An attacker can access and exfiltrate file...
Incorrect Privilege Assignment
Overview Affected versions of this package are vulnerable to Incorrect Privilege Assignment in the signupHandler function. An attacker can gain full administrative privileges by registering a new account when self-registration is enabled and the default permissions include administrative rights...
GO-2026-4659 FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info in github.com/gtsteffaniak/filebrowser/backend
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info in github.com/gtsteffaniak/filebrowser/backend...
GO-2026-4660 FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse) in github.com/gtsteffaniak/filebrowser
FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata text/template misuse in github.com/gtsteffaniak/filebrowser...
GO-2026-4606 File Browser's TUS Delete Endpoint Bypasses Delete Permission Check in github.com/filebrowser/filebrowser
File Browser's TUS Delete Endpoint Bypasses Delete Permission Check in github.com/filebrowser/filebrowser...
GO-2026-4585 FileBrowser has Path Traversal in Public Share Links that Exposes Files Outside Shared Directory in github.com/filebrowser/filebrowser
FileBrowser has Path Traversal in Public Share Links that Exposes Files Outside Shared Directory in github.com/filebrowser/filebrowser...
CVE-2026-30933
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and...
CVE-2026-30934
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields e.g., title, description that are rendered into HTML for /public/share/ without context-aware escaping. The server uses text/template instead ...
CVE-2026-30934 FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields e.g., title, description that are rendered into HTML for /public/share/ without context-aware escaping. The server uses text/template instead ...
CVE-2026-30934 FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields e.g., title, description that are rendered into HTML for /public/share/ without context-aware escaping. The server uses text/template instead ...
CVE-2026-30934 FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields e.g., title, description that are rendered into HTML for /public/share/ without context-aware escaping. The server uses text/template instead ...
CVE-2026-30934
CVE-2026-30934 affects FileBrowser Quantum (self-hosted web-based file manager). Prior to versions 1.3.1-beta and 1.2.2-stable, a Stored XSS exists via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/. The server uses Go text/template instead of html...
CVE-2026-30933 FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and...
CVE-2026-30933 FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and...
CVE-2026-30933 FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and...