Insecure Direct Object Reference (IDOR)

File Browser is vulnerable to an Insecure Direct Object Reference IDOR. The vulnerability is due to insufficient authorization checks in the share deletion functionality, which allows an authenticated attacker with share permissions to delete other users’ shared links by exploiting improper acces...

Exploit for CVE-2026-35585

CVE-2026-35585: File Browser OS Command Injection PoC Desc...

📄 WebRemoteControl Unauthenticated Remote Filesystem Access

WebRemoteControl suffers from an unauthenticated remote filesystem access vulnerability. This proof of concept exploit lets you browse directory contents and access files. Exploit Title: WebRemoteControl - Unauthenticated Remote Filesystem Access Date: 2026-04-14 Exploit Author: Chokri Hammedi...

CVE-2026-35605

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the Matches function in rules/rules.go uses strings.HasPrefix without a trailing directory separator when matching paths against access rules. ...

CVE-2026-35606

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other...

CVE-2026-35607

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 "self-registered users don't get execute perms" stripped Execute permission and Commands from users created via the...

CVE-2026-35585

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 until 2.33.8, the hook system in File Browser — which executes administrator-defined shell commands on file events such as upload, rename, and delete...

EUVD-2026-19782

File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands...

GHSA-7526-J432-6PPP File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands

Summary The fix in commit b6a4fb1 "self-registered users don't get execute perms" stripped Execute permission and Commands from users created via the signup handler. The same fix was not applied to the proxy auth handler. Users auto-created on first successful proxy-auth login are granted executi...

EUVD-2026-19780

File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check...

GHSA-67CG-CPJ7-QGC9 File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check

Summary The resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other content-serving endpoints /api/raw, /api/preview, /api/subtitle correctly verify this permission before serving content. A user with download: fals...

File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check

Summary The resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other content-serving endpoints /api/raw, /api/preview, /api/subtitle correctly verify this permission before serving content. A user with download: fals...

EUVD-2026-19776

File Browser share links remain accessible after Share/Download permissions are revoked...

File Browser share links remain accessible after Share/Download permissions are revoked

When an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler does not re-check the share owner's current permissions. Verified with a running PoC against v2.62.2 commit...

EUVD-2026-19778

File Browser has an access rule bypass via HasPrefix without trailing separator in path matching...

GHSA-5Q48-Q4FM-G3M6 File Browser has an access rule bypass via HasPrefix without trailing separator in path matching

Hi, The Matches function in rules/rules.go uses strings.HasPrefix without a trailing directory separator when matching paths against access rules. A rule for /uploads also matches /uploadsbackup/, granting or denying access to unintended directories. Verified against v2.62.2 commit 860c19d. Detai...

EUVD-2026-19775

File Browser has a Command Injection via Hook Runner...

GHSA-JVPW-637P-H3PW File Browser has a Command Injection via Hook Runner

!NOTE This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new...

File Browser has a Command Injection via Hook Runner

!NOTE This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new...

CVE-2026-35604

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, when an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to...