CVE-2025-52901 File Browser allows sensitive data to be transferred in URL

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.9, access tokens are used as GET parameters. The JSON Web Token JWT which is used as a session identifier will get leaked to...

CVE-2025-52901

File Browser (filebrowser) vulnerability CVE-2025-52901 allows leakage of JWT session tokens via GET parameters in URLs, enabling attackers with access to a user’s URL history/logs to gain full access to the user’s account and sensitive files. The issue affects versions prior to 2.33.9 and has be...

CVE-2025-52901 File Browser allows sensitive data to be transferred in URL

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.9, access tokens are used as GET parameters. The JSON Web Token JWT which is used as a session identifier will get leaked to...

CVE-2025-52901 File Browser allows sensitive data to be transferred in URL

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.9, access tokens are used as GET parameters. The JSON Web Token JWT which is used as a session identifier will get leaked to...

GHSA-3V48-283X-F2W4 File Browser's password protection of links is bypassable

Summary Files managed by the File Browser can be shared with a link to external persons. While the application allows protecting those links with a password, the implementation is error-prone, making an incidental unprotected sharing of a file possible. Impact File owners might rest in the...

File Browser vulnerable to command execution allowlist bypass

Summary The Command Execution feature of Filebrowser only allows the execution of shell command which have been predefined on a user-specific allowlist. The implementation of this allowlist is erroneous, allowing a user to execute additional commands not permitted. Impact A user can execute more...

GHSA-HC8F-M8G5-8362 File Browser: Command Execution not Limited to Scope

!NOTE This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new...

FileBrowser 安全漏洞

FileBrowser is an open source web file browser . Provides a file management interface in a specified directory , can be used to upload , delete , preview , rename and edit your files . FileBrowser has a security vulnerability that originates from an access token passed as a GET parameter, which c...

FileBrowser 安全漏洞

FileBrowser is an open source web file browser . Provides a file management interface in a specified directory , can be used to upload , delete , preview , rename and edit your files . FileBrowser has a security vulnerability that stems from an improper implementation of password-protected links,...

FileBrowser 命令注入漏洞

FileBrowser is an open source web file browser . Provides a file management interface in a specified directory , can be used to upload , delete , preview , rename and edit your files . FileBrowser suffers from a command injection vulnerability, which is caused by a flaw in the command execution...

PT-2025-27474 · Unknown · Filebrowser

Name of the Vulnerable Software and Affected Versions: File Browser versions 2.32.0 and prior Description: The issue concerns the implementation of password-protected links in File Browser, which is error-prone and can result in potential unprotected sharing of a file through a direct download...

FileBrowser 安全漏洞

FileBrowser is an open source web file browser . Provides a file management interface in a specified directory , can be used to upload , delete , preview , rename and edit your files . FileBrowser has a security vulnerability that stems from the lack of password policy and brute force protection,...

PT-2025-27472 · Unknown · Filebrowser

Name of the Vulnerable Software and Affected Versions: File Browser versions prior to 2.33.9 Description: The issue concerns the leakage of JSON Web Tokens JWT used as session identifiers due to their inclusion as GET parameters in URLs. This leakage can occur when a user accesses certain URLs,...

CVE-2025-52904

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions of the web application on the 2.x branch, all users have a scope assigned, and they only have access to the files within that scope. The...

CVE-2025-52900

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same is true for the...

CVE-2025-52902

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The Markdown preview function of File Browser prior to v2.33.7 is vulnerable to Stored Cross-Site-Scripting XSS. Any JavaScript code that is part of a...

GHSA-3Q2W-42MV-CPH4 filebrowser Allows Shell Commands to Spawn Other Commands

!NOTE This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new...

CVE-2025-52903

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions on the 2.x branch prior to 2.33.10, the Command Execution feature of File Browser only allows the execution of shell command which have be...

CVE-2025-52904

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions of the web application on the 2.x branch, all users have a scope assigned, and they only have access to the files within that scope. The...

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the Command Execution process. An attacker can execute arbitrary commands with the privileges of the server process by leveraging allowed shell commands that can spawn additional commands. This is only...