Nixpkgs security tracker

Login with GitHub

Suggestions search

Published
Filter by:
With package: filebrowser-quantum

Found 4 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-44542
9.1 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 week, 2 days ago by @LeSuisse Activity log
  • Created suggestion 1 week, 3 days ago
  • @LeSuisse ignored
    4 packages
    • filebrowser
    • python312Packages.filebrowser-safe
    • python313Packages.filebrowser-safe
    • python314Packages.filebrowser-safe
    1 week, 2 days ago
  • @LeSuisse accepted 1 week, 2 days ago
  • @LeSuisse published on GitHub 1 week, 2 days ago
FileBrowser Quantum: Unauthenticated Path Traversal in Public Share Delete Allows Arbitrary File Deletion

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete arbitrary files outside the shared directory within the share owner’s configured storage scope. This affects public/api/resources and public/api/resources/bulk. This vulnerability is fixed in 1.3.1-stable and 1.3.9-beta.

Affected products

filebrowser
  • ==< 1.3.9-beta
  • ==< 1.3.1-stable

Matching in nixpkgs

Ignored packages (4)

Package maintainers

Permalink CVE-2026-30934
8.9 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 2 months, 1 week ago by @mweinelt Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @mweinelt ignored
    4 packages
    • filebrowser
    • python312Packages.filebrowser-safe
    • python313Packages.filebrowser-safe
    • python314Packages.filebrowser-safe
    2 months, 1 week ago
  • @mweinelt accepted 2 months, 1 week ago
  • @mweinelt published on GitHub 2 months, 1 week ago
FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.

Affected products

filebrowser
  • ==>= 1.3.0-beta, < 1.3.1-beta
  • ==< 1.2.2-stable

Matching in nixpkgs

Ignored packages (4)

Package maintainers

https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r633-fcgp-m532
Permalink CVE-2026-30933
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 1 week ago by @mweinelt Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @mweinelt ignored
    4 packages
    • filebrowser
    • python312Packages.filebrowser-safe
    • python313Packages.filebrowser-safe
    • python314Packages.filebrowser-safe
    2 months, 1 week ago
  • @mweinelt accepted 2 months, 1 week ago
  • @mweinelt published on GitHub 2 months, 1 week ago
FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.

Affected products

filebrowser
  • ==>= 1.3.0-beta, < 1.3.1-beta
  • === 1.1.3-stable
  • ==>= 1.2.6-beta, < 1.2.2-stable

Matching in nixpkgs

Ignored packages (4)

Package maintainers

https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f
Permalink CVE-2026-27611
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 4 weeks ago
  • @LeSuisse ignored
    4 packages
    • filebrowser
    • python312Packages.filebrowser-safe
    • python313Packages.filebrowser-safe
    • python314Packages.filebrowser-safe
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago
FileBrowser Quantum: Password Protection Not Enforced on Shared File Links

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue.

Affected products

filebrowser
  • ==>= 1.2.0-beta, < 1.2.6-beta
  • ==< 1.1.3-stable

Matching in nixpkgs

Ignored packages (4)

Package maintainers

Upstream advisory: https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-8vrh-3pm2-v4v6
Upstream patch: https://github.com/gtsteffaniak/filebrowser/commit/c51b0ee9738fa4599b409f47c5bf820ef31b4fe1