GO-2026-4713 File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely in github.com/filebrowser/filebrowser

File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely in github.com/filebrowser/filebrowser...

CVE-2026-32759 File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions on the 2.x branch prior to 2.33.8, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating th...

CVE-2026-32759

File Browser CVE-2026-32759 affects versions 2.61.2 and earlier with a faulty TUS upload handler: Upload-Length is parsed as signed 64-bit without non-negative validation, allowing an authenticated user to supply a negative value that completes uploads on the first PATCH. This can trigger after_u...

Integer Overflow or Wraparound

Overview github.com/filebrowser/filebrowser/v2/http is a web file browser. Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the getUploadLength function. An attacker can repeatedly trigger post-upload hooks with arbitrary filenames and empty file contents by...