28 matches found
CVE-2026-54097 File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, a low-privileged authenticated user of filebrowser with create + delete permissions in their own isolated scope can silently destroy share-link...
File Browser has a Command Injection via Hook Runner
!NOTE This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new...
PT-2026-30904
Name of the Vulnerable Software and Affected Versions File Browser versions 2.0.0 through 2.33.8 Description The hook system in File Browser, which executes administrator-defined shell commands during file events such as upload, rename, and delete, is susceptible to OS command injection. The issu...
GO-2025-4118 File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency in github.com/filebrowser/filebrowser
File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency in github.com/filebrowser/filebrowser...
EUVD-2011-4749
Malware in sbrugna...
EUVD-2011-2634
Malware in sbrugna...
GO-2025-3792 File Browser vulnerable to insecure password handling in github.com/filebrowser/filebrowser
File Browser vulnerable to insecure password handling in github.com/filebrowser/filebrowser...
CVE-2025-53893
CVE-2025-53893 affects the filebrowser/filebrowser 2.38.0 DoS vulnerability where the server loads entire file content into memory during reads (e.g., /files/{file-name} or /api/resources/{file-name}) without size checks, enabling an authenticated user to trigger memory exhaustion and potentially...
FileBrowser Command Injection Vulnerability (CNVD-2025-22706)
FileBrowser is an open source web file browser . Provides a file management interface in a specified directory , can be used to upload , delete , preview , rename and edit your files . FileBrowser suffers from a command injection vulnerability, which is caused by a flaw in the command execution...
CVE-2025-52995
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.10, the implementation of the allowlist is erroneous, allowing a user to execute more shell commands than they are authorized fo...
CVE-2025-52995
CVE-2025-52995 concerns File Browser’s command execution allowlist bypass. The bug, present before version 2.33.10, stems from a regex-based allowlist check that uses partial matches, enabling an attacker with the Execute Commands permission to run additional shell commands beyond those explicitl...
CVE-2025-52995 File Browser vulnerable to command execution allowlist bypass
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.10, the implementation of the allowlist is erroneous, allowing a user to execute more shell commands than they are authorized fo...
CVE-2025-52901 File Browser allows sensitive data to be transferred in URL
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.9, access tokens are used as GET parameters. The JSON Web Token JWT which is used as a session identifier will get leaked to...
File Browser vulnerable to command execution allowlist bypass
Summary The Command Execution feature of Filebrowser only allows the execution of shell command which have been predefined on a user-specific allowlist. The implementation of this allowlist is erroneous, allowing a user to execute additional commands not permitted. Impact A user can execute more...
GHSA-HC8F-M8G5-8362 File Browser: Command Execution not Limited to Scope
!NOTE This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new...
PT-2025-27474 · Unknown · Filebrowser
Name of the Vulnerable Software and Affected Versions: File Browser versions 2.32.0 and prior Description: The issue concerns the implementation of password-protected links in File Browser, which is error-prone and can result in potential unprotected sharing of a file through a direct download...
PT-2025-27472 · Unknown · Filebrowser
Name of the Vulnerable Software and Affected Versions: File Browser versions prior to 2.33.9 Description: The issue concerns the leakage of JSON Web Tokens JWT used as session identifiers due to their inclusion as GET parameters in URLs. This leakage can occur when a user accesses certain URLs,...
GHSA-3Q2W-42MV-CPH4 filebrowser Allows Shell Commands to Spawn Other Commands
!NOTE This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new...
CVE-2025-52904 File Browser: Command Execution not Limited to Scope
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions of the web application on the 2.x branch, all users have a scope assigned, and they only have access to the files within that scope. The...
CVE-2025-52902
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The Markdown preview function of File Browser prior to v2.33.7 is vulnerable to Stored Cross-Site-Scripting XSS. Any JavaScript code that is part of a...