2 matches found
CVE-2026-55667
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.16, a scoped, non-admin File Browser user holding only the Create permission can delete arbitrary files outside their scope other tenants' data, a...
CVE-2026-55667
File Browser CVE-2026-55667 allows a scoped, non-admin user with only Create permission to delete files outside their scope during failed-upload cleanup. The issue stems from ScopedFs.RemoveAll bypassing the symlink guard that other methods enforce, with the direct-upload cleanup path invoking Re...