Threat Advisory

FileBrowser Quantum Vulnerability Leaks Sensitive Info

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-46410 with a CVSS score of 7.5 is a vulnerability affecting the FileBrowser Quantum, specifically the go/github.com/gtsteffaniak/filebrowser/backend package with versions less than 0.0.0-20260514154726-1802e1281135 and the go/github.com/gtsteffaniak/filebrowser package with versions less than 1.2.1-stable.0.20260514154726-1802e1281135. The vulnerability allows an unauthenticated user to expose sensitive information, including source and path, due to an exposure of sensitive information to an unauthorized actor, classified as CWE-200. An attacker can exploit this vulnerability through an unauthenticated access vector, requiring no specific privileges or access. Successful exploitation enables the attacker to gain unauthorized access to sensitive information, resulting in a significant business impact, including potential data breaches and reputational damage. The successful exploitation is contingent upon the attacker having knowledge of the vulnerable package and its affected versions.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-46410 with a CVSS score of 7.5 is a vulnerability affecting the FileBrowser Quantum, specifically the go/github.com/gtsteffaniak/filebrowser/backend package with versions less than 0.0.0-20260514154726-1802e1281135 and the go/github.com/gtsteffaniak/filebrowser package with versions less than 1.2.1-stable.0.20260514154726-1802e1281135. The vulnerability allows an unauthenticated user to expose sensitive information, including source and path, due to an exposure of sensitive information to an unauthorized actor, classified as CWE-200. An attacker can exploit this vulnerability through an unauthenticated access vector, requiring no specific privileges or access. Successful exploitation enables the attacker to gain unauthorized access to sensitive information, resulting in a significant business impact, including potential data breaches and reputational damage. The successful exploitation is contingent upon the attacker having knowledge of the vulnerable package and its affected versions.[emaillocker id="1283"]

RECOMMENDATION:

  • We recommend you to update go/github.com/gtsteffaniak/filebrowser/backend to version 0.0.0-20260514154726-1802e1281135.
  • We recommend you to update go/github.com/gtsteffaniak/filebrowser to version 1.2.1-stable.0.20260514154726-1802e1281135.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-3jmg-p96m-m328

[/emaillocker]
crossmenu