Lucene search
K

25 matches found

OSV
OSV
added 6 days ago5 views

GO-2026-5458 File Browser has incorrect access control for public directory shares via rule path rebasing in github.com/filebrowser/filebrowser

File Browser has incorrect access control for public directory shares via rule path rebasing in github.com/filebrowser/filebrowser...

7.5CVSS5.8AI score0.00471EPSS
Exploits0References3
Cvelist
Cvelist
added 6 days ago28 views

CVE-2026-54091 File Browser: Incorrect access control in public directory shares via rule path rebasing

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths agains...

7.5CVSS0.00471EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:27 p.m.11 views

CVE-2026-40304

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler controller/unaccess.go contains a logical error in its ownership guard: when a frontend record has environmentid = NULL the marker for admin-created global frontends, the conditio...

5.3CVSS5.5AI score0.00286EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/22 12:0 a.m.8 views

PT-2026-47627

Name of the Vulnerable Software and Affected Versions FileBrowser Quantum versions prior to 1.3.3-stable FileBrowser Quantum versions prior to 1.4.2-beta Description Path Traversal is possible through the publicPatchHandler function in backend/http/public.go. The issue occurs because the software...

9.3CVSS5.4AI score0.00446EPSS
Exploits0References9
NVD
NVD
added 2026/05/14 6:16 p.m.15 views

CVE-2026-44542

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences e.g., ../ to escape the intended shared directory. As a result, an...

9.1CVSS0.00523EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/04/16 9:9 p.m.5 views

zrok: Broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records

Summary The unaccess handler controller/unaccess.go contains a logical error in its ownership guard: when a frontend record has environmentid = NULL the marker for admin-created global frontends, the condition short-circuits to false and allows the deletion to proceed without any ownership...

5.3CVSS5.8AI score0.00286EPSS
Exploits0References4Affected Software2
Snyk
Snyk
added 2026/04/16 9:9 p.m.2 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper access control in the unaccess process. An attacker can cause disruption of all public shares routed through a global frontend by sending a DELETE request to the affected API endpoint with knowled...

6CVSS5.7AI score0.00286EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/16 9:9 p.m.4 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper access control in the unaccess process. An attacker can cause disruption of all public shares routed through a global frontend by sending a DELETE request to the affected API endpoint with knowled...

6CVSS5.8AI score0.00286EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/16 9:9 p.m.10 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper access control in the unaccess process. An attacker can cause disruption of all public shares routed through a global frontend by sending a DELETE request to the affected API endpoint with knowled...

6CVSS5.7AI score0.00286EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/16 9:9 p.m.5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper access control in the unaccess process. An attacker can cause disruption of all public shares routed through a global frontend by sending a DELETE request to the affected API endpoint with knowled...

6CVSS5.8AI score0.00286EPSS
Exploits0References3
NVD
NVD
added 2026/04/07 5:16 p.m.2 views

CVE-2026-35604

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, when an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to...

8.2CVSS0.00332EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:3 p.m.9 views

CVE-2026-30934

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields e.g., title, description that are rendered into HTML for /public/share/ without context-aware escaping. The server uses text/template instead ...

8.9CVSS5.9AI score0.00347EPSS
Exploits1References1
NVD
NVD
added 2026/03/20 2:16 p.m.13 views

CVE-2026-33370

An issue was discovered in Zimbra Collaboration ZCS 10.0 and 10.1. A stored cross-site scripting XSS vulnerability exists in the Zimbra Briefcase feature due to insufficient sanitization of specific uploaded file types. When a user opens a publicly shared Briefcase file containing malicious...

6.1CVSS0.00205EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/03/20 12:0 a.m.3 views

CVE-2026-33370

An issue was discovered in Zimbra Collaboration ZCS 10.0 and 10.1. A stored cross-site scripting XSS vulnerability exists in the Zimbra Briefcase feature due to insufficient sanitization of specific uploaded file types. When a user opens a publicly shared Briefcase file containing malicious...

5.8AI score0.00205EPSS
Exploits0References4
PyPA
PyPA
added 2026/03/11 9:16 p.m.10 views

PYSEC-2026-31

Copyparty is a portable file server. Prior to 1.20.12, there was a missing permission-check in the shares feature the shr global-option. This vulnerability only applies when the shares feature is used for the specific purpose of creating a share of just a single file inside a folder or either the...

7.5CVSS5.8AI score0.00344EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/09 11:28 a.m.11 views

CVE-2021-33828

The filesantivirus component before 1.0.0 for ownCloud mishandles the protection mechanism by which malicious files that have been uploaded to a public share are supposed to be deleted upon detection...

8.8CVSS6.9AI score0.01156EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.3 views

EUVD-2020-23792

Malware in sbrugna...

7.5CVSS7.6AI score0.00835EPSS
Exploits0References2
UbuntuCve
UbuntuCve
added 2021/09/07 7:15 p.m.22 views

CVE-2021-35947

The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL...

5.3CVSS6.2AI score0.01227EPSS
Exploits0References3
OSV
OSV
added 2021/02/19 7:15 a.m.4 views

CVE-2020-36249

The File Firewall before 2.8.0 for ownCloud Server does not properly enforce file-type restrictions for public shares...

7.5CVSS7.1AI score0.00835EPSS
Exploits0References1
Prion
Prion
added 2021/02/19 7:15 a.m.17 views

Design/Logic Flaw

The File Firewall before 2.8.0 for ownCloud Server does not properly enforce file-type restrictions for public shares...

5CVSS7.6AI score0.00835EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder