NIXPKGS-2026-0621

GitHub issue published on

Permalink CVE-2026-30933

7.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 2 months, 1 week ago by @mweinelt Activity log

Created suggestion 2 months, 2 weeks ago
@mweinelt ignored
4 packages
- filebrowser
- python312Packages.filebrowser-safe
- python313Packages.filebrowser-safe
- python314Packages.filebrowser-safe
2 months, 1 week ago
@mweinelt accepted 2 months, 1 week ago
@mweinelt published on GitHub 2 months, 1 week ago

FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.

References

https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f x_refsource_CONFIRM
https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable x_refsource_MISC
https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta x_refsource_MISC

Affected products

filebrowser

==>= 1.3.0-beta, < 1.3.1-beta
=== 1.1.3-stable
==>= 1.2.6-beta, < 1.2.2-stable

Matching in nixpkgs

pkgs.filebrowser-quantum

Access and manage your files from the web

nixos-unstable 1.1.0-stable
- nixpkgs-unstable 1.1.0-stable
- nixos-unstable-small 1.1.0-stable

Ignored packages (4)

pkgs.filebrowser

Filebrowser is a web application for managing files and directories

nixos-unstable 2.57.1
- nixpkgs-unstable 2.57.1
- nixos-unstable-small 2.57.1
nixos-25.11 2.57.1
- nixos-25.11-small 2.57.1
- nixpkgs-25.11-darwin 2.57.1

pkgs.python312Packages.filebrowser-safe

Snapshot of django-filebrowser for the Mezzanine CMS

nixos-25.11 1.1.1
- nixos-25.11-small 1.1.1
- nixpkgs-25.11-darwin 1.1.1

pkgs.python313Packages.filebrowser-safe

Snapshot of django-filebrowser for the Mezzanine CMS

nixos-unstable 1.1.1
- nixpkgs-unstable 1.1.1
- nixos-unstable-small 1.1.1
nixos-25.11 1.1.1
- nixos-25.11-small 1.1.1
- nixpkgs-25.11-darwin 1.1.1

pkgs.python314Packages.filebrowser-safe

Snapshot of django-filebrowser for the Mezzanine CMS

nixos-unstable 1.1.1
- nixpkgs-unstable 1.1.1
- nixos-unstable-small 1.1.1

Package maintainers

@JocimSus Joachim Susatiyo <joe.susatiyo@gmail.com>
@Denperidge Cat <contact@denperidge.com>

https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0621

References

Affected products

Matching in nixpkgs

pkgs.filebrowser-quantum

pkgs.filebrowser

pkgs.python312Packages.filebrowser-safe

pkgs.python313Packages.filebrowser-safe

pkgs.python314Packages.filebrowser-safe

Package maintainers