CVE-2026-27611
MEDIUM WAF: Low
CVSS 6.5
Published: 2026-02-25
CWE-287
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without the password. Versions 1.1.3-stable and 1.2.6-beta fix the issue.
WAF Coverage Analysis
Improper Authentication
Low WAF Coverage
OWASP: A07:2021 Identification and Authentication Failures
Affected Software
| Vendor | Product | Version |
|---|---|---|
| gtsteffaniak | filebrowser_quantum | up to 1.1.3 |
| gtsteffaniak | filebrowser_quantum | 1.2.0 - 1.2.6 |
| gtsteffaniak | filebrowser_quantum | 1.1.3 |
References
- github.com (Patch)
- github.com (Exploit, Vendor Advisory)