CVE-2026-30933: FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
(updated )
The remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2.
References
- github.com/advisories/GHSA-525j-95gf-766f
- github.com/gtsteffaniak/filebrowser
- github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable
- github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta
- github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f
- nvd.nist.gov/vuln/detail/CVE-2026-30933
Code Behaviors & Features
Detect and mitigate CVE-2026-30933 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →