CVE-2026-48777
Deferred Deferred - Pending Action
Path Traversal in FileBrowser Quantum

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: GitHub, Inc.

Description
FileBrowser Quantum is a free, self-hosted, web-based file manager. Versions prior to 1.3.2-stable, 1.4.0-beta and 1.4.1-beta are vulnerable to Path Traversal through the publicPatchHandler in backend/http/public.go which joins user-controlled fromPath and toPath body fields with the trusted d.share.Path BEFORE the downstream sanitizer runs. Because filepath.Join collapses .. segments during the join, the sanitizer in resourcePatchHandler never sees the traversal and the move/copy/rename operates on a path outside the shared directory. The same root-cause pattern was patched for the bulk DELETE endpoint as CVE-2026-44542 (GHSA-fwj3-42wh-8673), but the PATCH handler with the identical pattern was not updated. A public share link with AllowModify=true is sufficient to exploit this. Anyone holding such a link can move, copy, or rename arbitrary files within the share owner's source root. This issue has been fixed in versions 1.3.3-stable and 1.4.2-beta.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-17
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-48777
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
gtsteffaniak filebrowser to 1.3.2-stable (exc)
gtsteffaniak filebrowser to 1.4.1-beta (exc)
gtsteffaniak filebrowser 1.3.3-stable
gtsteffaniak filebrowser 1.4.2-beta
filebrowser quantum to 1.3.2-stable (exc)
filebrowser quantum From 1.3.3-stable (inc)
filebrowser quantum From 1.4.2-beta (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48777 is a critical path traversal vulnerability in the FileBrowser application affecting versions prior to 1.3.3-stable and 1.4.2-beta. The issue exists in the public share PATCH handler, where user-controlled file paths (fromPath and toPath) are joined with a trusted shared directory path before any sanitization occurs. Because the filepath.Join function collapses path segments like ".." before the sanitizer runs, attackers can manipulate these paths to escape the intended shared directory.

This allows anyone holding a public share link with AllowModify=true to move, copy, or rename arbitrary files within the share owner's source root directory, potentially accessing or tampering with files outside the shared directory.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access and modification of files outside the intended shared directory. An attacker can move, copy, or rename files arbitrarily within the share owner's source root, potentially exposing sensitive data or overwriting important files.

Because the attack requires no privileges or user interaction and can be executed remotely, it poses a high risk to confidentiality and integrity of data managed by the FileBrowser instance.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade FileBrowser to a fixed version where the issue has been resolved.

  • Upgrade to version 1.3.3-stable or later.
  • Alternatively, upgrade to version 1.4.2-beta or later.

These versions include fixes that properly sanitize user-provided paths before joining them with the share directory path, preventing path traversal attacks.

Additionally, review and restrict public share links with AllowModify=true to trusted users only, as possession of such links enables exploitation.

Compliance Impact

The vulnerability allows attackers to perform unauthorized file operations outside the intended shared directory, potentially exposing or tampering with sensitive files within the share owner's source root directory.

Such unauthorized access and modification of files could lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to sensitive personal or health information.

Because the flaw enables remote, unauthenticated attackers to move, copy, or rename arbitrary files, it undermines confidentiality and integrity controls mandated by these regulations.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious PATCH requests to the public share endpoint that include path traversal patterns in the fromPath or toPath fields.

Specifically, look for HTTP PATCH requests to the public share handler containing payloads with path segments like "../" which attempt to move, copy, or rename files outside the intended shared directory.

Example commands to detect such activity could include using network traffic inspection tools or web server logs to filter for suspicious PATCH requests.

  • Using tcpdump or tshark to capture HTTP PATCH requests: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i PATCH
  • Using grep on web server access logs to find PATCH requests with path traversal attempts: grep -i PATCH /var/log/filebrowser/access.log | grep '\.\./'
  • Using curl or similar tools to test if the server is vulnerable by crafting a PATCH request with fromPath or toPath containing '../' sequences on a public share link with AllowModify=true.

Note that detection requires access to logs or network traffic where such PATCH requests can be observed, and knowledge of public share links with modification permissions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48777. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart