2 matches found
CVE-2026-62685
The CVE affects File Browser prior to version 2.63.17. The issue arises in how user scopes are built from usernames via cleanUsername() when Signup=true and CreateUserDir=true: the many-to-one normalization can collapse usernames such as team/one, team one, and team-one to the same home directory...
Monitoring is vulnerable to Archive Slip due to missing checks in sanitization
The sanitizeArchivePath function in pkg/extract/extract.go lines 248–254 is vulnerable to a path traversal bypass due to a missing trailing path separator in the strings.HasPrefix check. A crafted tar archive can write files outside the intended destination directory when using the extractor CLI...