CVE-2026-44542 Critical Severity in filebrowser_quantum Vulnerability Details & Analysis

Summary

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete arbitrary files outside the shared directory within the share owner’s configured storage scope. This a

Description

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete arbitrary files outside the shared directory within the share owner’s configured storage scope. This affects public/api/resources and public/api/resources/bulk. This vulnerability is fixed in 1.3.1-stable and 1.3.9-beta.

📊 Relative Risk Intelligence

This CVE is High Risk - more severe than 87.7% of all 328,009 vulnerabilities in our database.

#40,307

Top 25% most severe

Severity Percentile

🎯 CISA SSVC Assessment Updated: May 15, 2026

🔍 Exploitation Status

Poc

Proof-of-concept available

⚙️ Automatable

YES

Can be exploited automatically

💥 Technical Impact

Partial

Limited system impact

SSVC data provided by CISA

Vendor	Product	Status	Affected Versions
gtsteffaniak	filebrowser_quantum	Affected	< 1.3.1
gtsteffaniak	filebrowser_quantum	Affected	< 1.3.9

CVE-2026-44542

Summary

Description

📊 Relative Risk Intelligence

🎯 CISA SSVC Assessment Updated: May 15, 2026

📦 Affected Products 2

🔗 References 1

🔗 Related CVEs 1