HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-48777Published Modified CNA GitHub_M

CVE-2026-48777: FileBrowser Quantum: Path Traversal in public share PATCH allows file ops outside shared directory

FileBrowser Quantum is a free, self-hosted, web-based file manager. Versions prior to 1.3.2-stable, 1.4.0-beta and 1.4.1-beta are vulnerable to Path Traversal through the publicPatchHandler in backend/http/public.go which joins user-controlled fromPath and toPath body fields with the trusted d.share.Path BEFORE the downstream sanitizer runs. Because filepath.Join collapses .. segments during the join, the sanitizer in resourcePatchHandler never sees the traversal and the move/copy/rename operates on a path outside the shared directory. The same root-cause pattern was patched for the bulk DELETE endpoint as CVE-2026-44542 (GHSA-fwj3-42wh-8673), but the PATCH handler with the identical pattern was not updated. A public share link with AllowModify=true is sufficient to exploit this. Anyone holding such a link can move, copy, or rename arbitrary files within the share owner's source root. This issue has been fixed in versions 1.3.3-stable and 1.4.2-beta.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path traversal vulnerability exists in FileBrowser Quantum's public share PATCH endpoint (publicPatchHandler). The flaw is reachable over the network with no authentication required, only a valid public share link with modification enabled is needed. Successful exploitation lets an attacker move, copy, or rename arbitrary files anywhere within the share owner's source root, bypassing the intended directory boundary. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment fix versions are published upstream.

HarborGuard Coverage

Detection

Detection of CVE-2026-48777 is available across every HarborGuard environment, with the CVE matched against images in customer registries and build pipelines within minutes of upstream publication. Coverage extends to custom-built images that bundle FileBrowser Quantum, not only images pulled from public registries.

Available
Triage

Triage is available using the CVSS v4.0 score of 9.3 (Critical), weighted against each customer's compliance policy to surface urgency correctly. Routing to the appropriate team inbox within each customer organization is handled automatically based on per-environment policy configuration.

Available
Patch

Because no fix version has been published upstream as of this writing, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available at the corrected version the moment the upstream project ships one. For customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable PATCH endpoint is exposed over the network, so an attacker must be able to reach the FileBrowser Quantum instance via HTTP/HTTPS.

  • AuthenticationNot required

    No account or credential is needed; possession of a public share link with AllowModify=true is sufficient to trigger the exploit.

  • Victim interactionNot required

    The attacker submits a crafted PATCH request directly and no action from any other user is required.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the path traversal works deterministically because filepath.Join collapses dot-dot segments before the sanitizer runs.

Blast Radius

  • Attacker moves, copies, or renames files outside the intended shared directory and into any path accessible within the share owner's source root.
  • File system layout for the share owner can be silently altered, overwriting existing files with attacker-controlled content via a rename or copy operation.
  • Sensitive files stored elsewhere in the source root (configuration files, credentials, private documents) can be relocated to a publicly readable location and subsequently downloaded.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet for CVE-2026-48777, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment versions 1.3.3-stable or 1.4.2-beta are published. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy isolation that restricts inbound access to FileBrowser Quantum instances to trusted source ranges only, disabling or removing public share links that carry AllowModify=true at the application level where the feature is not required, and egress filtering to limit what the host process can reach if a traversal does occur. All affected image variants, including custom-built images bundling FileBrowser Quantum below 1.3.3-stable or between 1.4.0-beta and 1.4.2-beta, are flagged in scan results with the full CVSS v4.0 vector for team review.

See how HarborGuard automates this
Affected packages
  • gtsteffaniak / filebrowser
    < 1.3.3-stable · >= 1.4.0-beta, < 1.4.2-beta
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References