FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion — CVE-2026-44542
GHSA · GitHub · CVE-2026-44542
ID
CVE-2026-44542
CVE-2026-44542
Date
Updated
Activity
Source
GHSA
GHSA
Vendor
GitHub
GitHub
Threat
critical
critical
CVSS
9.1
9.1
Summary
### **Summary** Attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete arbitrary files outside the shared directory within the share owner’s configured storage scope. ### **Affected…
Product
go: github.com/gtsteffaniak/filebrowser
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.