DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-QQQM-5547-774X: GHSA-QQQM-5547-774X: Unauthenticated Path Traversal in FileBrowser Quantum PATCH Handler

#security #cve #cybersecurity #ghsa

GHSA-QQQM-5547-774X: Unauthenticated Path Traversal in FileBrowser Quantum PATCH Handler

Vulnerability ID: GHSA-QQQM-5547-774X
CVSS Score: 9.1
Published: 2026-05-22

GHSA-QQQM-5547-774X is a critical path traversal vulnerability in the FileBrowser Quantum application, specifically within the Go backend package. The vulnerability resides in the HTTP handler responsible for processing bulk file modifications via the public API. Unauthenticated attackers can exploit an order-of-operations flaw in the path sanitization logic to bypass intended directory restrictions. This allows adversaries to arbitrarily read, move, and overwrite files on the underlying filesystem by supplying specially crafted HTTP PATCH requests.

TL;DR

An unauthenticated path traversal in FileBrowser Quantum's PATCH endpoint allows attackers to move or rename arbitrary files by exploiting an order-of-operations flaw in path sanitization.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Network
  • CVSS v4.0: 9.1
  • Exploit Status: Proof-of-Concept
  • Privileges Required: None (Unauthenticated)
  • Impact: Arbitrary File Read/Write

Affected Systems

  • FileBrowser Quantum Go Backend (github.com/gtsteffaniak/filebrowser/backend)
  • FileBrowser Quantum: < 28e9b81e438e (Fixed in: 0.0.0-20260518193514-28e9b81e438e)

Mitigation Strategies

  • Update the application to pseudo-version 0.0.0-20260518193514-28e9b81e438e or later.
  • Disable the 'Allow Modify' permission on all public share links.
  • Deploy Web Application Firewall (WAF) rules to inspect and block traversal sequences in JSON bodies.

Remediation Steps:

  1. Identify the current running version of FileBrowser Quantum.
  2. Pull the latest container image or compile the backend from source including commit 28e9b81e438e.
  3. Restart the FileBrowser service to apply the patch.
  4. Audit existing public shares and verify none maintain the Allow Modify flag unless strictly necessary and tightly scoped.

References

Read the full report for GHSA-QQQM-5547-774X on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)