External risk intelligence

FileBrowser Quantum Path Traversal Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-48777

A path traversal vulnerability exists in FileBrowser Quantum, a self-hosted file manager. This flaw allows an attacker with a public share link that permits modifications to move, copy, or rename files outside the intended shared directory. The issue stems from improper path handling before sanitization, enabling unaut

4Halo Surface Signal

Path Traversal

External exposure likelihood

Halo Surface Signal score for CVE-2026-48777

The application is a web-based file manager designed to be self-hosted and accessible via public share links. As a web-based service providing file management capabilities intended for remote sharing and access, it is commonly deployed as an internet-facing service.

PCI scan relevance

PCI Relevance for CVE-2026-48777

Yes

CVE-2026-48777 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability allows unauthenticated attackers to traverse directories via crafted requests. This could impact systems processing sensitive data, making it relevant for PCI scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in FileBrowser Quantum, a self-hosted web-based file manager. The issue allows unauthorized modification, copying, or renaming of files within a user's shared directory via a public share link. This vulnerability is similar to a previously addressed issue, indicating a potential pattern in how file operations are handled.

Path traversal allows unauthorized file tampering.
Critical flaw impacts self-hosted file management.
Confirm relevance and verify exposure.

Attack Path

How an attacker could exploit the issue

An attacker can leverage a public share link with modification capabilities to execute a path traversal attack. This allows them to manipulate files outside of the intended shared directory by crafting specific `fromPath` and `toPath` requests. The vulnerability lies in how user-provided paths are processed before sanitization, enabling actions like moving, copying, or renaming files across the entire source root of the share owner.

Requires a public share link with modification enabled.
Triggers when handling file move/copy/rename operations.
Allows arbitrary file manipulation within the share owner's root.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory's configuration, an attacker with a public share link that allows modification could move, copy, or rename arbitrary files within the owner's shared directory. This occurs because the application incorrectly handles path traversal before sanitizing user-supplied file paths.

Files within the shared directory.
Via a crafted public share link.
Unauthorized file manipulation.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Platform team is likely responsible for managing the self-hosted FileBrowser Quantum instances. The initial focus should be on identifying all deployed instances, confirming their exposure and criticality, and then coordinating with application owners or vendor management to plan the update.

Platform or application owners should lead.
Verify public share links with modification enabled.
Plan and execute version updates.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is FileBrowser Quantum?

FileBrowser Quantum is a free, self-hosted web application used for managing files over a network. It provides a web-based interface that allows users to organize, share, and access their files remotely, often by generating public links for others to view or interact with content stored on the host server.

What is the Path Traversal weakness in CVE-2026-48777?

This is a CWE-22 flaw where the software fails to correctly restrict file operations. In this specific case, the application joins user-provided file paths with internal paths before checking if the request is safe. Because the joining process removes traversal sequences like '..', the security mechanism is bypassed entirely, allowing operations on files outside the intended directories.

How is this vulnerability triggered?

An attacker needs access to a public share link that has the 'AllowModify' permission enabled. They trigger the bug by sending a crafted request to the file move, copy, or rename function. Note that read-only public links or internal-only instances without active public sharing do not provide the necessary pathway to exploit this specific flaw.

Is my instance at risk according to Halo Surface Signal?

Halo Surface Signal indicates that because this software is a web-based file manager designed for remote sharing, it is frequently deployed as an internet-facing service. If you are hosting this application and have public share links enabled with modification rights, your instance matches the profile for likely exposure to this threat.

What are the first steps to secure my installation?

You should immediately audit your deployment to identify versions older than 1.3.2-stable or 1.4.0-beta. The primary resolution is to update your software to version 1.3.3-stable or 1.4.2-beta, which contain the necessary fixes for the path handling logic. If an update is not immediately possible, consider disabling public share links that allow modification.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.