CVE-2026-44542

Critical

Published: 14 May 2026

Published

14 May 2026

Modified

14 May 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score N/A

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-44542 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

NVD Description

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a…

result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete arbitrary files outside the shared directory within the share owner’s configured storage scope. This affects public/api/resources and public/api/resources/bulk. This vulnerability is fixed in 1.3.1-stable and 1.3.9-beta.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-22

References

https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-fwj3-42wh-8673
security-advisories@github.com