# [CRIT] [GHSA / CRITICAL] CVE-2026-48777: FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory **Source:** GitHub Security Advisories **Published:** 2026-05-22 **Article:** https://github.com/advisories/GHSA-qqqm-5547-774x ## Threat Profile FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory ## Summary `publicPatchHandler` in `backend/http/public.go` joins user-controlled `fromPath` and `toPath` body fields with the trusted `d.share.Path` BEFORE the downstream sanitizer runs. Because `filepath.Join` collapses `..` segments during the join, the sanitizer in `resourcePatchHandler` never sees the traversal and the move/copy/rename operates on a path outside the shared directory. The sam… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-48777` - **CVE:** `CVE-2026-44542` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1083** — File and Directory Discovery - **T1595.002** — Active Scanning: Vulnerability Scanning ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### FileBrowser Quantum public share PATCH path traversal in fromPath/toPath (GHSA-qqqm-5547-774x) `UC_214_1` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count, min(_time) as firstTime, max(_time) as lastTime, values(Web.uri_query) as uri_query, values(Web.http_user_agent) as user_agent, values(Web.status) as status from datamodel=Web where Web.http_method="PATCH" AND Web.url="*/public/api/resources*" AND Web.uri_query="*hash=*" by Web.src, Web.dest, Web.url | `drop_dm_object_name("Web")` | join type=inner src dest [ search index=* sourcetype IN (nginx:plus:kv, nginx:access, caddy, apache:access, aws:waf, azure:waf) http_method=PATCH uri_path="*/public/api/resources*" (request_body="*\"fromPath\":\"..*" OR request_body="*\"toPath\":\"..*" OR request_body="*\"fromPath\": \"..*" OR request_body="*\"toPath\": \"..*" OR _raw="*\"fromPath\":\"..*" OR _raw="*\"toPath\":\"..*") | stats values(request_body) as request_body by src dest ] | table firstTime, lastTime, src, dest, url, uri_query, user_agent, status, request_body, count ``` ### Volumetric PATCH probing against FileBrowser Quantum public share endpoint `UC_214_2` · phase: **recon** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count as patch_count, dc(Web.uri_query) as unique_hashes, dc(Web.url) as unique_urls, values(Web.http_user_agent) as user_agents, values(Web.status) as status_codes, min(_time) as firstTime, max(_time) as lastTime from datamodel=Web where Web.http_method="PATCH" AND Web.url="*/public/api/resources*" by Web.src, Web.dest, span=5m | `drop_dm_object_name("Web")` | where patch_count >= 10 OR unique_hashes >= 3 | eval probe_signal=if(unique_hashes>=3 AND patch_count>=10, "hash_enumeration", if(patch_count>=20, "single_hash_fuzzing", "elevated")) | table firstTime, lastTime, src, dest, patch_count, unique_hashes, unique_urls, user_agents, status_codes, probe_signal | sort - patch_count ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-48777`, `CVE-2026-44542` ## Why this matters Severity classified as **CRIT** based on: CVE present, 3 use case(s) fired, 3 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.