269 matches found
FileBrowser Quantum: unauthenticated user share share info
Impact Some sensitive info -- such as source and path can get exposed. Patches Update to the latest version Workarounds no...
Cross-site Scripting (XSS)
FileBrowser Quantum is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper escaping of user-controlled share metadata fields when rendered in HTML using text/template, which allows an attacker to inject and execute malicious scripts when users visit a shared URL...
CVE-2026-44542
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences e.g., ../ to escape the intended shared directory. As a result, an...
Directory Traversal
github.com/gtsteffaniak/filebrowser is vulnerable to Directory Traversal. The vulnerability is due to improper sanitization of attacker-controlled path input before path validation, which allows an attacker to use traversal sequences to delete arbitrary files outside the intended shared directory...
CVE-2026-44542 FileBrowser Quantum: Unauthenticated Path Traversal in Public Share Delete Allows Arbitrary File Deletion
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences e.g., ../ to escape the intended shared directory. As a result, an...
EUVD-2026-30344
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences e.g., ../ to escape the intended shared directory. As a result, an...
CVE-2026-44542
CVE-2026-44542 affects FileBrowser Quantum. An attacker-controlled path input is joined with a trusted base path before sanitization, enabling path traversal (e.g., ../) to escape the shared directory. An unauthenticated attacker with a valid public share hash that has delete permissions can dele...
FileBrowser Quantum 路径遍历漏洞
FileBrowser Quantum is a file manager developed by Graham Steffaniak. Versions prior to 1.3.1-stable and 1.3.9-beta contained a path traversal vulnerability. This vulnerability stemmed from the concatenation of trusted base paths before path cleaning, which could lead to directory traversal attac...
FileBrowser Vulnerable to Stored XSS via SVG File in Public Share (Missing CSP Header)
Summary FileBrowser Quantum serves inline SVG files without a Content-Security-Policy header, allowing embedded JavaScript in SVG files to execute when accessed via public share links. Verified on v1.3.0-stable. Affected product - Product: FileBrowser Quantum gtsteffaniak/filebrowser - Verified...
GHSA-MMPX-JH39-WRV6 FileBrowser Vulnerable to Stored XSS via SVG File in Public Share (Missing CSP Header)
Summary FileBrowser Quantum serves inline SVG files without a Content-Security-Policy header, allowing embedded JavaScript in SVG files to execute when accessed via public share links. Verified on v1.3.0-stable. Affected product - Product: FileBrowser Quantum gtsteffaniak/filebrowser - Verified...
FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion
Summary Attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences e.g., ../ to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete...
GHSA-JVPW-637P-H3PW vulnerabilities
Vulnerabilities for packages: filebrowser...
CVE-2026-35585 vulnerabilities
Vulnerabilities for packages: filebrowser...
GHSA-JVPW-637P-H3PW vulnerabilities
Vulnerabilities for packages: filebrowser...
CVE-2026-35585 vulnerabilities
Vulnerabilities for packages: filebrowser...
GHSA-X4JJ-H2V8-HQQV vulnerabilities
Vulnerabilities for packages: neuvector-scanner, ipfs-cluster, flux-helm-controller, docker-cli, snyk-cli, tofu-controller, gatekeeper, gh, kaf, terraform, ingress-nginx-controller, timoni, cilium-envoy, helm-push, net-kourier, cloud-provider-aws, external-secrets-operator, keda, rclone, syft,...
GHSA-7MR4-XJXG-34G6 vulnerabilities
Vulnerabilities for packages: neuvector-scanner, nginx-prometheus-exporter, prometheus-pushgateway, grafana-pyroscope, yunikorn-k8shim, dkron, flux-helm-controller, docker-cli, migrate, snyk-cli, step-issuer, gatekeeper, gh, kaf, tofu-controller, terraform, ingress-nginx-controller,...
CVE-2026-32281 vulnerabilities
Vulnerabilities for packages: grafana-pyroscope, ipfs-cluster, migrate, snyk-cli, kaf, secrets-store-csi-driver-provider-azure, prometheus-blackbox-exporter, q, k3s, whereabouts, azurefile-csi, incert, smokescreen, nri-f5, spark-operator, hey, mongodb-kubernetes-operator, envconsul,...
CVE-2026-32289 vulnerabilities
Vulnerabilities for packages: neuvector-scanner, nginx-prometheus-exporter, prometheus-pushgateway, grafana-pyroscope, yunikorn-k8shim, dkron, flux-helm-controller, docker-cli, migrate, snyk-cli, step-issuer, gatekeeper, gh, kaf, tofu-controller, terraform, ingress-nginx-controller,...
CVE-2026-32288 vulnerabilities
Vulnerabilities for packages: docker-compose-fips, omni-fips, gitlab-operator, harbor-fips, mailpit, tkn-fips, gitlab-workhorse-ce, prometheus-operator, gitlab-rails-ce-fips, mattermost-fips, vendir, knative-serving, k8ssandra-client, cert-manager, chezmoi, envconsul-fips, gitlab-kas, scorecard,...