{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-48777/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-16T18:40:06.121Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-48777","@id":"https://www.cve.org/CVERecord?id=CVE-2026-48777","description":"FileBrowser Quantum is a free, self-hosted, web-based file manager. Versions prior to 1.3.2-stable, 1.4.0-beta and 1.4.1-beta are vulnerable to Path Traversal through the publicPatchHandler in backend/http/public.go which joins user-controlled fromPath and toPath body fields with the trusted d.share.Path BEFORE the downstream sanitizer runs. Because filepath.Join collapses .. segments during the join, the sanitizer in resourcePatchHandler never sees the traversal and the move/copy/rename operate"},"products":[{"@id":"cpe:2.3:a:gtsteffaniak:filebrowser:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:gtsteffaniak:filebrowser:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-16T18:40:06.121Z"}]}