CVE-2026-30933

Description

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected products

gtsteffaniak / filebrowser>= 1.3.0-beta, < 1.3.1-beta – >= 1.3.0-beta, < 1.3.1-beta
gtsteffaniak / filebrowser>= 1.2.6-beta, < 1.2.2-stable – >= 1.2.6-beta, < 1.2.2-stable
gtsteffaniak / filebrowser= 1.1.3-stable – = 1.1.3-stable

References

VENDOR_ADVISORYhttps://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f
PATCHhttps://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable
PATCHhttps://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta