Nixpkgs security tracker

Login with GitHub

Suggestions search

With package: filebrowser-quantum

Found 5 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-48777
9.3 CRITICAL
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 4 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    3 packages
    • filebrowser
    • python313Packages.filebrowser-safe
    • python314Packages.filebrowser-safe
  • @LeSuisse ignored
    2 maintainers
    • @JocimSus
    • @Denperidge
    maintainer.ignore
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
FileBrowser Quantum: Path Traversal in public share PATCH allows file ops outside shared directory

FileBrowser Quantum is a free, self-hosted, web-based file manager. Versions prior to 1.3.2-stable, 1.4.0-beta and 1.4.1-beta are vulnerable to Path Traversal through the publicPatchHandler in backend/http/public.go which joins user-controlled fromPath and toPath body fields with the trusted d.share.Path BEFORE the downstream sanitizer runs. Because filepath.Join collapses .. segments during the join, the sanitizer in resourcePatchHandler never sees the traversal and the move/copy/rename operates on a path outside the shared directory. The same root-cause pattern was patched for the bulk DELETE endpoint as CVE-2026-44542 (GHSA-fwj3-42wh-8673), but the PATCH handler with the identical pattern was not updated. A public share link with AllowModify=true is sufficient to exploit this. Anyone holding such a link can move, copy, or rename arbitrary files within the share owner's source root. This issue has been fixed in versions 1.3.3-stable and 1.4.2-beta.

Affected products

filebrowser
  • ==>= 1.4.0-beta, < 1.4.2-beta
  • ==< 1.3.3-stable

Matching in nixpkgs

Ignored packages (3)

pkgs.filebrowser

Web application for managing files and directories

Package maintainers

Ignored maintainers (2)
Permalink CVE-2026-44542
9.1 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • filebrowser
    • python312Packages.filebrowser-safe
    • python313Packages.filebrowser-safe
    • python314Packages.filebrowser-safe
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
FileBrowser Quantum: Unauthenticated Path Traversal in Public Share Delete Allows Arbitrary File Deletion

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete arbitrary files outside the shared directory within the share owner’s configured storage scope. This affects public/api/resources and public/api/resources/bulk. This vulnerability is fixed in 1.3.1-stable and 1.3.9-beta.

Affected products

filebrowser
  • ==< 1.3.1-stable
  • ==< 1.3.9-beta

Matching in nixpkgs

Ignored packages (4)

Package maintainers

Permalink CVE-2026-30934
8.9 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 4 months ago by @mweinelt Activity log
  • Created suggestion
  • @mweinelt ignored
    4 packages
    • filebrowser
    • python312Packages.filebrowser-safe
    • python313Packages.filebrowser-safe
    • python314Packages.filebrowser-safe
  • @mweinelt accepted
  • @mweinelt published on GitHub
FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.

Affected products

filebrowser
  • ==< 1.2.2-stable
  • ==>= 1.3.0-beta, < 1.3.1-beta

Matching in nixpkgs

Ignored packages (4)

Package maintainers

https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532
Permalink CVE-2026-30933
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 4 months ago by @mweinelt Activity log
  • Created suggestion
  • @mweinelt ignored
    4 packages
    • filebrowser
    • python312Packages.filebrowser-safe
    • python313Packages.filebrowser-safe
    • python314Packages.filebrowser-safe
  • @mweinelt accepted
  • @mweinelt published on GitHub
FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.

Affected products

filebrowser
  • ==>= 1.2.6-beta, < 1.2.2-stable
  • === 1.1.3-stable
  • ==>= 1.3.0-beta, < 1.3.1-beta

Matching in nixpkgs

Ignored packages (4)

Package maintainers

https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • filebrowser
    • python312Packages.filebrowser-safe
    • python313Packages.filebrowser-safe
    • python314Packages.filebrowser-safe
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
FileBrowser Quantum: Password Protection Not Enforced on Shared File Links

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue.

Affected products

filebrowser
  • ==< 1.1.3-stable
  • ==>= 1.2.0-beta, < 1.2.6-beta

Matching in nixpkgs

Ignored packages (4)

Package maintainers

Upstream advisory: https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6
Upstream patch: https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1