🚨 BREAKING

CVE-2026-44542: Critical Path Traversal in FileBrowser Quantum

/CRITICAL /CVSS 9.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityarbitrary-file-accesscwe-22
CVE-2026-44542: Critical Path Traversal in FileBrowser Quantum

The National Vulnerability Database has detailed CVE-2026-44542, a critical path traversal vulnerability impacting FileBrowser Quantum, a popular self-hosted web-based file manager. Prior to versions 1.3.1-stable and 1.3.9-beta, the application mishandles attacker-controlled path input by joining it with a trusted base path before proper sanitization. This allows traversal sequences, like ../, to escape the intended shared directory boundary.

This flaw enables an unauthenticated attacker, provided they possess a valid public share hash with delete permissions, to delete arbitrary files outside the configured shared directory. The impact is confined to the share owner’s storage scope, but the ability to perform unauthenticated arbitrary file deletion is a significant risk. The vulnerability affects the public/api/resources and public/api/resources/bulk endpoints.

The CVSSv3.1 score of 9.1 (Critical) underscores the severity, with a vector indicating network-based attacks requiring no privileges or user interaction, leading to high integrity and availability impacts. Defenders must prioritize patching, as this type of vulnerability is a favorite for initial access or destructive actions within an already compromised environment.

What This Means For You

  • If your organization uses FileBrowser Quantum, immediately verify your version. If it's prior to 1.3.1-stable or 1.3.9-beta, you are exposed to unauthenticated arbitrary file deletion. Patching is non-negotiable. Additionally, audit logs for any suspicious file deletion activities, especially those originating from public share links. Review your public share configurations to ensure delete permissions are only granted when absolutely necessary.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1083 File and Directory Discovery Discovery T1566.002 Phishing: Spearphishing Link Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-44542: FileBrowser Quantum Path Traversal Deletion

Sigma YAML — free preview 
title: CVE-2026-44542: FileBrowser Quantum Path Traversal Deletion
id: scw-2026-05-14-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-44542 by targeting the /public/api/resources and /public/api/resources/bulk endpoints with a DELETE method and a URI query containing path traversal sequences (../). This indicates an unauthenticated attacker attempting to delete arbitrary files outside the shared directory.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44542/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|startswith:
          - '/public/api/resources'
          - '/public/api/resources/bulk'
      cs-method: 
          - 'DELETE'
      cs-uri-query|contains:
          - '../'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44542 Path Traversal FileBrowser Quantum versions prior to 1.3.1-stable and 1.3.9-beta
CVE-2026-44542 Path Traversal Vulnerable endpoints: public/api/resources and public/api/resources/bulk
CVE-2026-44542 Path Traversal Affected component: attacker-controlled path input joined with trusted base path prior to sanitization

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 21:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8621: Crabbox Authentication Bypass Allows Impersonation

CVE-2026-8621 — Crabbox prior to v0.12.0 contains an authentication bypass vulnerability that allows non-admin shared-token callers to impersonate other owners or organizations by spoofing identity...

vulnerabilityCVEhigh-severityauthentication-bypasscwe-287
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-45375: Critical XSS in SiYuan Knowledge Management System

CVE-2026-45375 — SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a...

vulnerabilityCVEcriticalhigh-severitycwe-79cwe-116
/SCW Vulnerability Desk /CRITICAL /9 /⚑ 4 IOCs /⚙ 6 Sigma

CVE-2026-45148 — SiYuan is an open-source personal knowledge management

CVE-2026-45148 — SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, broken access control in the searchAsset, searchTag, searchWidget, and searchTemplate publish-mode Readers...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma