{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30933", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T16:40:05.885Z", "datePublished": "2026-03-10T16:10:56.494Z", "dateUpdated": "2026-03-10T16:41:10.543Z"}, "containers": {"cna": {"title": "FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-602", "lang": "en", "description": "CWE-602: Client-Side Enforcement of Server-Side Security", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f"}, {"name": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable", "tags": ["x_refsource_MISC"], "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable"}, {"name": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta", "tags": ["x_refsource_MISC"], "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta"}], "affected": [{"vendor": "gtsteffaniak", "product": "filebrowser", "versions": [{"version": ">= 1.3.0-beta, < 1.3.1-beta", "status": "affected"}, {"version": ">= 1.2.6-beta, < 1.2.2-stable", "status": "affected"}, {"version": "= 1.1.3-stable", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T16:10:56.494Z"}, "descriptions": [{"lang": "en", "value": "FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable."}], "source": {"advisory": "GHSA-525j-95gf-766f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30933", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T16:38:31.235168Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T16:41:10.543Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30933", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T16:38:31.235168Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T16:40:56.028Z"}}], "cna": {"title": "FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info", "source": {"advisory": "GHSA-525j-95gf-766f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gtsteffaniak", "product": "filebrowser", "versions": [{"status": "affected", "version": ">= 1.3.0-beta, < 1.3.1-beta"}, {"status": "affected", "version": ">= 1.2.6-beta, < 1.2.2-stable"}, {"status": "affected", "version": "= 1.1.3-stable"}]}], "references": [{"url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f", "name": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable", "name": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta", "name": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-602", "description": "CWE-602: Client-Side Enforcement of Server-Side Security"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T16:10:56.494Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30933", "state": "PUBLISHED", "dateUpdated": "2026-03-10T16:41:10.543Z", "dateReserved": "2026-03-07T16:40:05.885Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T16:10:56.494Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9301582-B9B7-431D-B9F0-D2ED8A0F4F0A", "versionEndIncluding": "1.2.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:filebrowser:filebrowser:1.2.1:stable:*:*:*:*:*:*", "matchCriteriaId": "DE0C44CA-A1E7-4A78-AEBE-9E40AC8356A3", "vulnerable": true}, {"criteria": "cpe:2.3:a:filebrowser:filebrowser:1.3.0:beta:*:*:*:*:*:*", "matchCriteriaId": "BBB1EA86-4052-40DC-AAAA-8133DD965699", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable."}, {"lang": "es", "value": "FileBrowser Quantum es un gestor de archivos gratuito, autoalojado y basado en web. Antes de 1.3.1-beta y 1.2.2-stable, la remediaci\u00f3n para CVE-2026-27611 es incompleta. Las comparticiones protegidas con contrase\u00f1a a\u00fan revelan el downloadURL tokenizado a trav\u00e9s de /public/API/share/info. Esta vulnerabilidad est\u00e1 corregida en 1.3.1-beta y 1.2.2-stable."}], "id": "CVE-2026-30933", "lastModified": "2026-03-18T17:13:34.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T18:18:53.070", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-602"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.3.0-beta,1.3.1-beta)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.2.6-beta,1.2.2-stable)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.1.3-stable"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "filebrowser", "source": "cna", "vendor": "gtsteffaniak"}, "product": "filebrowser", "vendor": "gtsteffaniak"}], "analysis": {"en": {"generated_at": "2026-04-16T09:48:06.718474+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading to version\u202f1.3.1\u2011beta or 1.2.2\u2011stable, which removes the download URL exposure.", "If an upgrade is not immediately feasible, restrict external access to the /public/api/share/info endpoint using firewall rules or reverse\u2011proxy authentication to prevent unauthenticated disclosure.", "After configuration changes, validate that password\u2011protected shares no longer return tokenized download URLs by testing the API and monitoring logs for anomalous access patterns."], "summary": {"action": "Patch Upgrade", "impact": "Information Disclosure in Password\u2011Protected Shares"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to gtsteffaniak\u2019s FileBrowser Quantum web\u2011based file manager. All product releases prior to 1.2.2\u2011stable and 1.3.1\u2011beta are affected, including 1.2.1\u2011stable and 1.3.0\u2011beta. Users running these versions should consider them at risk.", "description_and_impact": "FileBrowser Quantum previously implemented a fix for CVE\u20112026\u201127611 that was later found incomplete. In affected releases, password\u2011protected shares continue to expose a tokenized download URL through the /public/api/share/info endpoint. This lapse allows an unauthenticated attacker to obtain a direct download link to resources that the share protection was intended to guard, thereby disclosing confidential data. The weakness aligns with CWE\u2011200 (Information Exposure), CWE\u2011306 (Missing Authentication), and CWE\u2011602 (Improper Verification of Authorization).", "risk_and_exploitability": "The CVSS score of 7.5 denotes high severity, while the EPSS score of less than 1\u202f% indicates a low probability of real\u2011world exploitation at this time. The weakness is not listed in the CISA KEV catalog, reflecting its relatively low prevalence. Attackers can exploit the flaw remotely by sending crafted requests to /public/api/share/info, revealing the download URL even when the share is password protected. No privilege escalation or code execution is involved, but the data exposure could support subsequent attacks."}}}}, "created": "2026-03-11T11:49:49.568303+00:00", "updated": "2026-04-16T10:00:14.063536+00:00", "vendors": ["gtsteffaniak", "gtsteffaniak$PRODUCT$filebrowser"]}