Suggestions search

Published

Filter by:

With package: filebrowser-quantum

Found 3 matching suggestions

View:

Compact

Detailed

Permalink CVE-2026-30934

8.9 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): LOW

updated 3 weeks, 1 day ago by @mweinelt Activity log

Created automatic suggestion 3 weeks, 1 day ago
@mweinelt removed package filebrowser 3 weeks, 1 day ago
@mweinelt removed package python312Packages.filebrowser-safe 3 weeks, 1 day ago
@mweinelt removed package python313Packages.filebrowser-safe 3 weeks, 1 day ago
@mweinelt removed package python314Packages.filebrowser-safe 3 weeks, 1 day ago
@mweinelt accepted 3 weeks, 1 day ago
@mweinelt published on GitHub 3 weeks, 1 day ago

FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.

References

https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532 x_refsource_CONFIRM
https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable x_refsource_MISC
https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta x_refsource_MISC

Affected products

filebrowser

==>= 1.3.0-beta, < 1.3.1-beta
==< 1.2.2-stable

Matching in nixpkgs

pkgs.filebrowser-quantum

Access and manage your files from the web

nixos-unstable 1.1.0-stable
- nixpkgs-unstable 1.1.0-stable
- nixos-unstable-small 1.1.0-stable

Package maintainers

@JocimSus Joachim Susatiyo <joe.susatiyo@gmail.com>
@Denperidge Cat <contact@denperidge.com>

https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532

Permalink CVE-2026-30933

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

updated 3 weeks, 1 day ago by @mweinelt Activity log

Created automatic suggestion 3 weeks, 1 day ago
@mweinelt removed package filebrowser 3 weeks, 1 day ago
@mweinelt removed package python312Packages.filebrowser-safe 3 weeks, 1 day ago
@mweinelt removed package python313Packages.filebrowser-safe 3 weeks, 1 day ago
@mweinelt removed package python314Packages.filebrowser-safe 3 weeks, 1 day ago
@mweinelt accepted 3 weeks, 1 day ago
@mweinelt published on GitHub 3 weeks, 1 day ago

FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.

References

https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f x_refsource_CONFIRM
https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable x_refsource_MISC
https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta x_refsource_MISC

Affected products

filebrowser

==>= 1.3.0-beta, < 1.3.1-beta
==>= 1.2.6-beta, < 1.2.2-stable
=== 1.1.3-stable

Matching in nixpkgs

pkgs.filebrowser-quantum

Access and manage your files from the web

nixos-unstable 1.1.0-stable
- nixpkgs-unstable 1.1.0-stable
- nixos-unstable-small 1.1.0-stable

Package maintainers

@JocimSus Joachim Susatiyo <joe.susatiyo@gmail.com>
@Denperidge Cat <contact@denperidge.com>

https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f

Permalink CVE-2026-27611

updated 1 month ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse removed package filebrowser 1 month ago
@LeSuisse removed package python312Packages.filebrowser-safe 1 month ago
@LeSuisse removed package python313Packages.filebrowser-safe 1 month ago
@LeSuisse removed package python314Packages.filebrowser-safe 1 month ago
@LeSuisse accepted 1 month ago
@LeSuisse published on GitHub 1 month ago

FileBrowser Quantum: Password Protection Not Enforced on Shared File Links

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue.

References

https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6 x_refsource_CONFIRM
https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1 x_refsource_MISC

Affected products

filebrowser

==< 1.1.3-stable
==>= 1.2.0-beta, < 1.2.6-beta

Matching in nixpkgs

pkgs.filebrowser-quantum

Access and manage your files from the web

nixos-unstable 1.1.0-stable
- nixpkgs-unstable 1.1.0-stable
- nixos-unstable-small 1.1.0-stable

Package maintainers

@Denperidge Cat <contact@denperidge.com>
@JocimSus Joachim Susatiyo <joe.susatiyo@gmail.com>

Upstream advisory: https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6
Upstream patch: https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1