Golang/Github.com/Gtsteffaniak/Filebrowser/Backend | GitLab Advisory Database (GLAD)

FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory

publicPatchHandler in backend/http/public.go joins user-controlled fromPath and toPath body fields with the trusted d.share.Path BEFORE the downstream sanitizer runs. Because filepath.Join collapses .. segments during the join, the sanitizer in resourcePatchHandler never sees the traversal and the move/copy/rename operates on a path outside the shared directory. The same root-cause pattern was patched for the bulk DELETE endpoint as CVE-2026-44542 (GHSA-fwj3-42wh-8673), but the PATCH handler with the identical pattern was not …

FileBrowser Quantum: unauthenticated user share share info

Some sensitive info – such as source and path can get exposed.

FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel

The /api/auth/login authentication endpoint does not execute in constant time. When a non-existent username is supplied, the server returns a 401/403 response almost immediately. When a valid username is provided, the server performs a bcrypt password comparison, causing a measurable delay in the response time.

FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info

The remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2.

FileBrowser Quantum: Password Protection Not Enforced on Shared File Links

When users share password-protected files, the recipient can completely bypass the password and still download the file.

Advisories for Golang/Github.com/Gtsteffaniak/Filebrowser/Backend package