513 matches found
File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check
Summary The resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other content-serving endpoints /api/raw, /api/preview, /api/subtitle correctly verify this permission before serving content. A user with download: fals...
EUVD-2026-19780
File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check...
EUVD-2026-19776
File Browser share links remain accessible after Share/Download permissions are revoked...
File Browser share links remain accessible after Share/Download permissions are revoked
When an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler does not re-check the share owner's current permissions. Verified with a running PoC against v2.62.2 commit...
EUVD-2026-19778
File Browser has an access rule bypass via HasPrefix without trailing separator in path matching...
GHSA-5Q48-Q4FM-G3M6 File Browser has an access rule bypass via HasPrefix without trailing separator in path matching
Hi, The Matches function in rules/rules.go uses strings.HasPrefix without a trailing directory separator when matching paths against access rules. A rule for /uploads also matches /uploadsbackup/, granting or denying access to unintended directories. Verified against v2.62.2 commit 860c19d. Detai...
EUVD-2026-19775
File Browser has a Command Injection via Hook Runner...
File Browser has a Command Injection via Hook Runner
!NOTE This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new...
GHSA-JVPW-637P-H3PW File Browser has a Command Injection via Hook Runner
!NOTE This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new...
CVE-2026-35604
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, when an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to...
CVE-2026-35606
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other...
CVE-2026-35605
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the Matches function in rules/rules.go uses strings.HasPrefix without a trailing directory separator when matching paths against access rules. ...
CVE-2026-35607
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 "self-registered users don't get execute perms" stripped Execute permission and Commands from users created via the...
CVE-2026-35585
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 until 2.33.8, the hook system in File Browser — which executes administrator-defined shell commands on file events such as upload, rename, and delete...
CVE-2026-35607
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 "self-registered users don't get execute perms" stripped Execute permission and Commands from users created via the...
CVE-2026-35607
CVE-2026-35607 affects File Browser. Before version 2.63.1, a fix that prevented execution rights from being inherited by self-registered users was not applied to the proxy authentication path, causing auto-created proxy-auth users on first successful login to inherit Execute permissions and Comm...
CVE-2026-35607 File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 "self-registered users don't get execute perms" stripped Execute permission and Commands from users created via the...
CVE-2026-35606 File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other...
CVE-2026-35606 File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other...
CVE-2026-35606
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other...