Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

3 matches found

OSV
OSVadded 2026/04/08 12:4 a.m.1 views

GHSA-5Q48-Q4FM-G3M6 File Browser has an access rule bypass via HasPrefix without trailing separator in path matching

Hi, The Matches function in rules/rules.go uses strings.HasPrefix without a trailing directory separator when matching paths against access rules. A rule for /uploads also matches /uploadsbackup/, granting or denying access to unintended directories. Verified against v2.62.2 commit 860c19d. Detai...

6.3CVSS5.8AI score0.00029EPSS
Exploits1References4
CVE
CVEadded 2026/04/07 4:24 p.m.4 views

CVE-2026-35605

File Browser vulnerability CVE-2026-35605 arises from the non-regex path matching in rules/rules.go using strings.HasPrefix, which causes a rule like Path: "/uploads" to unintentionally grant/deny access to "/uploads_backup/" and other similar paths. This path-prefix logic exists prior to version...

7.5CVSS5.9AI score0.00029EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichmentadded 2026/04/07 4:24 p.m.1 views

CVE-2026-35605 File Browser has an access rule bypass via HasPrefix without trailing separator in path matching

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the Matches function in rules/rules.go uses strings.HasPrefix without a trailing directory separator when matching paths against access rules. ...

6.3CVSS5.9AI score0.00029EPSS
Exploits1References2
Rows per page
Query Builder