A critical directory traversal vulnerability in FileBrowser Quantum allows an unauthenticated attacker to delete arbitrary files on the host system.

Improper sanitization of path input allows traversal sequences (e.g., ../) to escape intended directories, enabling unauthorized file deletion by an attacker with a valid public share hash.

This flaw allows for the malicious deletion of critical system or user files, potentially resulting in complete service disruption or data loss. With a CVSS score of 9.1, this represents a severe threat to the availability and integrity of the managed file storage.

Immediate Action: Update FileBrowser Quantum to version 1.3.1-stable or 1.3.9-beta immediately.

Proactive Monitoring: Monitor file system access logs for deletion activities involving paths outside of designated shared directory structures.

Compensating Controls: Implement file system permissions at the OS level to restrict the service's ability to modify files outside of its intended scope, providing a defense-in-depth measure.

Public Exploit Available: No

The ability to delete arbitrary files is a high-impact risk. Organizations must apply the provided updates immediately to prevent malicious data destruction and maintain system stability.