{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "1.2.9" }, { "introduced": "0" }, { "last_affected": "1.2.1-stable" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "6b8a65382f0787968eb2275de4f574a68e13e0b4" }, { "introduced": "0" }, { "last_affected": "4c8b1188484f994a0d287435150cf3d58f3dc0f3" } ], "repo": "https://github.com/filebrowser/filebrowser", "type": "GIT" } ] }, { "ranges": [ { "database_specific": { "versions": [ { "introduced": "1.3.0-beta" }, { "fixed": "1.3.1-beta" } ] }, "events": [ { "introduced": "e4907225a1ac0be759245417ac4d5289539f2cea" }, { "fixed": "9d6e429a38be5f4d95476e2d272d6cdff7bcb784" } ], "repo": "https://github.com/gtsteffaniak/filebrowser", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "1.2.6-beta" }, { "fixed": "1.2.2-stable" } ] }, "events": [ { "introduced": "a8c9b9419ec530568991a2f72cec4ed263f99e3c" }, { "fixed": "09713b32a5f6e369a5197319749a12b8e7fd5f2b" } ], "repo": "https://github.com/gtsteffaniak/filebrowser", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "= 1.1.3-stable" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "72d09907031af645c3a8bb85a6db0f5d85bd852c" } ], "repo": "https://github.com/gtsteffaniak/filebrowser", "type": "GIT" } ] } ], "aliases": [ "GHSA-525j-95gf-766f" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-200", "CWE-306", "CWE-602" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30933.json" }, "details": "FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.", "id": "CVE-2026-30933", "modified": "2026-04-01T23:10:10.164776997Z", "published": "2026-03-10T16:10:56.494Z", "references": [ { "type": "WEB", "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.2.2-stable" }, { "type": "WEB", "url": "https://github.com/gtsteffaniak/filebrowser/releases/tag/v1.3.1-beta" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30933.json" }, { "type": "ADVISORY", "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-525j-95gf-766f" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30933" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ], "summary": "FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info" }