3 matches found
CVE-2026-62843 File Browser: Archive builder turns backslash filenames into path traversal (zip-slip)
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.63.6 to 2.63.16, File Browser's archive builder uses strings.ReplaceAllnameInArchive, "", "/", which turns a POSIX filename such as ....\evil.sh into the...
EUVD-2026-44707
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.63.6 to 2.63.16, File Browser's archive builder uses strings.ReplaceAllnameInArchive, "", "/", which turns a POSIX filename such as ....\evil.sh into the...
CVE-2026-62843
CVE-2026-62843 affects File Browser (versions 2.63.6–2.63.16). The archive builder calls strings.ReplaceAll(nameInArchive, "\", "/"), which can transform a POSIX filename like ..\..\evil.sh into ../../evil.sh within the generated zip/tar. This enables a user with upload permissions to place a bac...