603 matches found
CVE-2026-62685 File Browser: Colliding username normalization gives two users the same home directory
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser builds new user scopes from usernames passed through cleanUsername when Signup=true and CreateUserDir=true, but the many-to-one...
CVE-2026-62685
The CVE affects File Browser prior to version 2.63.17. The issue arises in how user scopes are built from usernames via cleanUsername() when Signup=true and CreateUserDir=true: the many-to-one normalization can collapse usernames such as team/one, team one, and team-one to the same home directory...
CVE-2026-62843 File Browser: Archive builder turns backslash filenames into path traversal (zip-slip)
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.63.6 to 2.63.16, File Browser's archive builder uses strings.ReplaceAllnameInArchive, "", "/", which turns a POSIX filename such as ....\evil.sh into the...
CVE-2026-62843 File Browser: Archive builder turns backslash filenames into path traversal (zip-slip)
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.63.6 to 2.63.16, File Browser's archive builder uses strings.ReplaceAllnameInArchive, "", "/", which turns a POSIX filename such as ....\evil.sh into the...
EUVD-2026-44707
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.63.6 to 2.63.16, File Browser's archive builder uses strings.ReplaceAllnameInArchive, "", "/", which turns a POSIX filename such as ....\evil.sh into the...
CVE-2026-62843
CVE-2026-62843 affects File Browser (versions 2.63.6–2.63.16). The archive builder calls strings.ReplaceAll(nameInArchive, "\", "/"), which can transform a POSIX filename like ..\..\evil.sh into ../../evil.sh within the generated zip/tar. This enables a user with upload permissions to place a bac...
CVE-2026-62683 File Browser: Trailing-slash delete leaves a stale public share behind
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser can leave a public directory share behind when the shared directory is deleted through a path with a trailing slash because the...
CVE-2026-62683
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser can leave a public directory share behind when the shared directory is deleted through a path with a trailing slash because the...
CVE-2026-62683 File Browser: Trailing-slash delete leaves a stale public share behind
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser can leave a public directory share behind when the shared directory is deleted through a path with a trailing slash because the...
CVE-2026-62683
File Browser (server-side) contains a vulnerability prior to version 2.63.17 where deleting a shared directory with a trailing slash can leave a stale public share behind. The issue arises because the cleanup path calls DeleteWithPathPrefix(file.Path, userID) while the Bolt backend queries the da...
EUVD-2026-44705
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser can leave a public directory share behind when the shared directory is deleted through a path with a trailing slash because the...
CVE-2026-54089
creationtimestamp| type| source ---|---|--- 2026-07-10 20:16:04+00:00| seen| https://bsky.app/profile/stackflag.bsky.social/post/3mqcxoiwmmg2z 2026-07-10 20:35:14+00:00| published-proof-of-concept| https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xqp3-jq6g-x3qm 2026-07-11...
EUVD-2026-39510
File Browser: Command Injection via Authentication Hook Shell Substitution Pre-Authentication RCE...
EUVD-2026-39508
File Browser: Authentication Bypass via Proxy Auth Header Forgery...
CVE-2026-55668 File Browser: ScopedFs follows a dangling symlink on write, letting a scoped user create files outside their scope
File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create...
CVE-2026-55668
The CVE affects File Browser’s ScopedFs component prior to version 2.63.16. An authenticated user with Create and Modify permissions can trigger ScopedFs to validate the nearest existing ancestor of a dangling symlink and then follow the symlink during file creation, allowing attacker‑controlled ...
CVE-2026-55668 File Browser: ScopedFs follows a dangling symlink on write, letting a scoped user create files outside their scope
File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create...
EUVD-2026-42272
File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create...
GO-2026-5691 File Browser has a DoS Vulnerability via Public Login API in github.com/filebrowser/filebrowser
File Browser has a DoS Vulnerability via Public Login API in github.com/filebrowser/filebrowser...
GO-2026-5458 File Browser has incorrect access control for public directory shares via rule path rebasing in github.com/filebrowser/filebrowser
File Browser has incorrect access control for public directory shares via rule path rebasing in github.com/filebrowser/filebrowser...