{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/filebrowser/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["filebrowser","github.com"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","file-deletion","web-application"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eFileBrowser, a web-based file manager, contains a critical path traversal vulnerability in its public share DELETE API. This flaw, present in versions prior to commit 112740bdd41d (May 1, 2026), allows an unauthenticated attacker to delete arbitrary files outside the intended shared directory. The vulnerability stems from insufficient sanitization of the \u0026lsquo;path\u0026rsquo; parameter in the API request. An attacker possessing a valid public share hash with delete permissions enabled can manipulate the \u0026lsquo;path\u0026rsquo; parameter using traversal sequences (e.g., ../) to escape the shared directory and delete files within the share owner\u0026rsquo;s configured storage scope. This issue affects both stable and development versions of FileBrowser, making it a significant risk for users who rely on the public share feature with delete permissions enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a FileBrowser instance with public shares enabled and delete permissions granted on at least one share.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a valid public share hash for a specific shared directory.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious DELETE request to the \u003ccode\u003e/public/api/resources\u003c/code\u003e endpoint (for stable versions) or \u003ccode\u003e/public/api/resources/bulk\u003c/code\u003e (for development versions).\u003c/li\u003e\n\u003cli\u003eIn the crafted request, the attacker manipulates the \u003ccode\u003epath\u003c/code\u003e parameter (stable) or the \u003ccode\u003epath\u003c/code\u003e field within the JSON body (development) to include path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe FileBrowser server receives the request and incorrectly joins the attacker-controlled path with a trusted base path \u003cem\u003ebefore\u003c/em\u003e sanitization.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal sequences, the resulting path escapes the intended shared directory.\u003c/li\u003e\n\u003cli\u003eThe FileBrowser server attempts to delete the file specified by the manipulated path, which now points to a file outside the intended share.\u003c/li\u003e\n\u003cli\u003eThe targeted file is deleted successfully, resulting in unauthorized data loss.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to delete arbitrary files within the share owner\u0026rsquo;s storage scope. This can lead to significant data loss, service disruption, and potential compromise of sensitive information. The impact is particularly severe if the attacker targets critical system files or data repositories accessible within the FileBrowser instance\u0026rsquo;s storage scope. The vulnerability affects FileBrowser instances with public shares and delete permissions enabled, potentially impacting numerous users who rely on this feature.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of FileBrowser that includes the fix for CVE-2026-44542 to remediate the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect FileBrowser Public Share Path Traversal Attempt\u0026rdquo; to your SIEM to identify potential exploitation attempts in real-time by monitoring for suspicious DELETE requests with path traversal sequences.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of public shares with delete permissions enabled to minimize the potential attack surface.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to provide the necessary data for the provided Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T03:28:06Z","date_published":"2026-05-07T03:28:06Z","id":"/briefs/2026-05-filebrowser-path-traversal/","summary":"A path traversal vulnerability exists in FileBrowser's public share DELETE API allowing unauthenticated attackers with valid share hashes and delete permissions to delete arbitrary files outside the shared directory, leading to unauthorized data loss and potential service disruption.","title":"FileBrowser Public Share DELETE API Path Traversal Allows Arbitrary File Deletion","url":"https://feed.craftedsignal.io/briefs/2026-05-filebrowser-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Filebrowser","version":"https://jsonfeed.org/version/1.1"}