Lucene search
K

295 matches found

NVD
NVD
added 2 days ago8 views

CVE-2026-61874

filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path, then recreate the same directory to expose ne...

3.1CVSS0.00198EPSS
Exploits0References3
CVE
CVE
added 2 days ago13 views

CVE-2026-61874

CVE-2026-61874 affects filebrowser before 2.63.17. The root cause is improper path normalization in DeleteWithPathPrefix, allowing an authenticated user to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path and then recreate the same directory to...

3.1CVSS6.1AI score0.00198EPSS
Exploits0References3
EUVD
EUVD
added 2 days ago8 views

EUVD-2026-43234

filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path, then recreate the same directory to expose ne...

3.1CVSS6.1AI score0.00198EPSS
Exploits0References3
Cvelist
Cvelist
added 2 days ago35 views

CVE-2026-61874 filebrowser before 2.63.17 Stale Public Share via Trailing-Slash Delete

filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path, then recreate the same directory to expose ne...

3.1CVSS0.00198EPSS
Exploits0References3
Circl
Circl
added 6 days ago5 views

CVE-2026-54685

creationtimestamp| type| source ---|---|--- 2026-07-08 18:35:05+00:00| published-proof-of-concept| https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-7789-65hx-f26w...

5.9AI score
Exploits0References1
Chainguard
Chainguard
added 2026/06/26 8:22 p.m.8 views

CVE-2026-46602 vulnerabilities

Vulnerabilities for packages: mattermost-fips, rclone-fips, seaweedfs, seaweedfs-operator-fips, hugo-extended, mailpit, mailpit-fips, seaweedfs-fips, mattermost, seaweedfs-rocksdb-fips, rclone, filebrowser, seaweedfs-rocksdb, hugo-fips, listmonk, seaweedfs-operator, gitlab-workhorse-ce, hugo...

7.5CVSS6.1AI score0.00339EPSS
Exploits0
Chainguard
Chainguard
added 2026/06/26 8:22 p.m.10 views

GHSA-PWFV-328H-75X9 vulnerabilities

Vulnerabilities for packages: mattermost-fips, rclone-fips, seaweedfs, seaweedfs-operator-fips, hugo-extended, mailpit, mailpit-fips, seaweedfs-fips, mattermost, seaweedfs-rocksdb-fips, rclone, filebrowser, seaweedfs-rocksdb, hugo-fips, listmonk, seaweedfs-operator, gitlab-workhorse-ce, hugo...

6.1AI score
Exploits0
Wolfi
Wolfi
added 2026/06/26 8:22 p.m.7 views

CVE-2026-46602 vulnerabilities

Vulnerabilities for packages: mailpit, filebrowser, mattermost, hugo, hugo-extended, seaweedfs, rclone...

7.5CVSS6.1AI score0.00339EPSS
Exploits0
Wolfi
Wolfi
added 2026/06/26 8:22 p.m.9 views

GHSA-PWFV-328H-75X9 vulnerabilities

Vulnerabilities for packages: mailpit, filebrowser, mattermost, hugo, hugo-extended, seaweedfs, rclone...

6.1AI score
Exploits0
OSV
OSV
added 2026/06/25 10:34 p.m.5 views

GO-2026-5591 FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory in github.com/gtsteffaniak/filebrowser/backend

FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory in github.com/gtsteffaniak/filebrowser/backend...

9.3CVSS5.8AI score0.00446EPSS
Exploits0References1
OSV
OSV
added 2026/06/25 10:34 p.m.8 views

GO-2026-5511 FileBrowser Vulnerable to Stored XSS via SVG File in Public Share (Missing CSP Header) in github.com/gtsteffaniak/filebrowser

FileBrowser Vulnerable to Stored XSS via SVG File in Public Share Missing CSP Header in github.com/gtsteffaniak/filebrowser...

5.8AI score
Exploits0References2
OSV
OSV
added 2026/06/25 10:34 p.m.5 views

GO-2026-5458 File Browser has incorrect access control for public directory shares via rule path rebasing in github.com/filebrowser/filebrowser

File Browser has incorrect access control for public directory shares via rule path rebasing in github.com/filebrowser/filebrowser...

7.5CVSS5.8AI score0.00471EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/25 7:19 p.m.6 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the Hook Authentication process. An attacker can execute arbitrary operating system commands by injecting shell metacharacters into the username or password fields during login. Remediation Upgrade...

9.8CVSS6.2AI score0.00533EPSS
Exploits0References2
OSV
OSV
added 2026/06/25 6:43 p.m.4 views

GO-2026-5383 FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion in github.com/gtsteffaniak/filebrowser

FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion in github.com/gtsteffaniak/filebrowser...

9.1CVSS5.8AI score0.00523EPSS
Exploits1References3
OSV
OSV
added 2026/06/25 6:26 p.m.2 views

GO-2026-5089 FileBrowser Quantum: unauthenticated user share share info in github.com/gtsteffaniak/filebrowser

FileBrowser Quantum: unauthenticated user share share info in github.com/gtsteffaniak/filebrowser...

5.8AI score0.00052EPSS
Exploits0References2
OSV
OSV
added 2026/06/16 11:55 p.m.10 views

GO-2026-5055 File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope in github.com/filebrowser/filebrowser

File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope in github.com/filebrowser/filebrowser...

7.5CVSS5.3AI score0.0046EPSS
Exploits0References3
NVD
NVD
added 2026/06/16 8:16 p.m.12 views

CVE-2026-48777

FileBrowser Quantum is a free, self-hosted, web-based file manager. Versions prior to 1.3.2-stable, 1.4.0-beta and 1.4.1-beta are vulnerable to Path Traversal through the publicPatchHandler in backend/http/public.go which joins user-controlled fromPath and toPath body fields with the trusted...

9.3CVSS0.00446EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/16 6:40 p.m.47 views

CVE-2026-48777 FileBrowser Quantum: Path Traversal in public share PATCH allows file ops outside shared directory

FileBrowser Quantum is a free, self-hosted, web-based file manager. Versions prior to 1.3.2-stable, 1.4.0-beta and 1.4.1-beta are vulnerable to Path Traversal through the publicPatchHandler in backend/http/public.go which joins user-controlled fromPath and toPath body fields with the trusted...

9.3CVSS0.00446EPSS
Exploits0References3
CVE
CVE
added 2026/06/16 6:40 p.m.32 views

CVE-2026-48777

CVE-2026-48777 — FileBrowser Quantum has a path-traversal in the public share PATCH endpoint. Versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta allow an attacker with a public share link that has AllowModify=true to move, copy, or rename files outside the share root by abusing publicPatc...

9.3CVSS5.4AI score0.00446EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/12 9:7 p.m.18 views

File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path

Summary This is similar vulnrability of CVE-2026-0035, which was fixed in Android MediaProvider with high severity. In the original Java issue, MediaStore.createWriteRequest accepted attacker-controlled URIs and created a future grant even when the referenced media item did not exist yet. The...

8.4CVSS5.5AI score0.00175EPSS
Exploits0References4Affected Software2
Rows per page
Query Builder