PatchSiren cyber security CVE debrief
CVE-2026-48777 gtsteffaniak CVE debrief
CVE-2026-48777 is a critical vulnerability in FileBrowser Quantum, a free, self-hosted, web-based file manager. Versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta are vulnerable to Path Traversal through the publicPatchHandler in backend/http/public.go. This vulnerability allows an attacker to move, copy, or rename arbitrary files within the share owner's source root by exploiting a public share link with AllowModify=true.
- Vendor
- gtsteffaniak
- Product
- filebrowser
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-17
Who should care
Users of FileBrowser Quantum versions prior to 1.3.3-stable and 1.4.2-beta should update to the latest version to prevent exploitation of this vulnerability.
Technical summary
The vulnerability is caused by the publicPatchHandler in backend/http/public.go joining user-controlled fromPath and toPath body fields with the trusted d.share.Path before the downstream sanitizer runs. This allows an attacker to traverse the file system and access files outside the shared directory.
Defensive priority
High
Recommended defensive actions
- Update to FileBrowser Quantum version 1.3.3-stable or 1.4.2-beta or later.
- Restrict access to public share links with AllowModify=true.
- Monitor file system activity for suspicious behavior.
Evidence notes
This vulnerability has been fixed in versions 1.3.3-stable and 1.4.2-beta. References: [ref-4](https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.3-stable), [ref-5](https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.4.2-beta), [ref-6](https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-qqqm-5547-774x).
Official resources
CVE-2026-48777 was published on [cvePublishedAt].