{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-48777: FileBrowser Quantum: Path Traversal in public share PATCH allows file ops outside shared directory","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-48777","status":"final","version":"1","initial_release_date":"2026-06-16T18:40:06.121Z","current_release_date":"2026-06-16T18:40:06.121Z","revision_history":[{"date":"2026-06-16T18:40:06.121Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"FileBrowser Quantum is a free, self-hosted, web-based file manager. Versions prior to 1.3.2-stable, 1.4.0-beta and 1.4.1-beta are vulnerable to Path Traversal through the publicPatchHandler in backend/http/public.go which joins user-controlled fromPath and toPath body fields with the trusted d.share.Path BEFORE the downstream sanitizer runs. Because filepath.Join collapses .. segments during the join, the sanitizer in resourcePatchHandler never sees the traversal and the move/copy/rename operates on a path outside the shared directory. The same root-cause pattern was patched for the bulk DELETE endpoint as CVE-2026-44542 (GHSA-fwj3-42wh-8673), but the PATCH handler with the identical pattern was not updated. A public share link with AllowModify=true is sufficient to exploit this. Anyone holding such a link can move, copy, or rename arbitrary files within the share owner's source root. This issue has been fixed in versions 1.3.3-stable and 1.4.2-beta.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-48777 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-48777"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-48777"},{"category":"external","summary":"https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-qqqm-5547-774x","url":"https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-qqqm-5547-774x"},{"category":"external","summary":"https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.3-stable","url":"https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.3-stable"},{"category":"external","summary":"https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.4.2-beta","url":"https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.4.2-beta"}]},"product_tree":{"branches":[{"category":"vendor","name":"gtsteffaniak","branches":[{"category":"product_name","name":"filebrowser","branches":[{"category":"product_version","name":"< 1.3.3-stable","product":{"name":"gtsteffaniak filebrowser < 1.3.3-stable","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:gtsteffaniak:filebrowser:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":">= 1.4.0-beta, < 1.4.2-beta","product":{"name":"gtsteffaniak filebrowser >= 1.4.0-beta, < 1.4.2-beta","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:gtsteffaniak:filebrowser:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-48777","title":"FileBrowser Quantum: Path Traversal in public share PATCH allows file ops outside shared directory","notes":[{"category":"description","text":"FileBrowser Quantum is a free, self-hosted, web-based file manager. Versions prior to 1.3.2-stable, 1.4.0-beta and 1.4.1-beta are vulnerable to Path Traversal through the publicPatchHandler in backend/http/public.go which joins user-controlled fromPath and toPath body fields with the trusted d.share.Path BEFORE the downstream sanitizer runs. Because filepath.Join collapses .. segments during the join, the sanitizer in resourcePatchHandler never sees the traversal and the move/copy/rename operates on a path outside the shared directory. The same root-cause pattern was patched for the bulk DELETE endpoint as CVE-2026-44542 (GHSA-fwj3-42wh-8673), but the PATCH handler with the identical pattern was not updated. A public share link with AllowModify=true is sufficient to exploit this. Anyone holding such a link can move, copy, or rename arbitrary files within the share owner's source root. This issue has been fixed in versions 1.3.3-stable and 1.4.2-beta.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N","baseScore":9.3,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1","CSAFPID-2"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1","CSAFPID-2"]}]}]}