CVE-2026-54091

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths agains...

CVE-2026-54097 File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, a low-privileged authenticated user of filebrowser with create + delete permissions in their own isolated scope can silently destroy share-link...

CVE-2026-54093

CVE-2026-54093 affects File Browser prior to v2.63.6, where archive entry names for zip/tar are built using Windows-style backslashes. On Linux, backslashes are preserved in names, allowing a Windows-style traversal like ....\evil.txt to be written on disk and then emitted verbatim in the archive...

GHSA-6CF5-W9H3-4RQV Denied Host Validation Bypass in Zitadel Actions

Summary A flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost 127.0.0.1. The isHostBlocked check, designed to prevent such requests, can be circumvented by creating a DNS record that resolves to 127.0.0.1. This enables...

CVE-2021-3800

A flaw was found in glib before version 2.63.6. Due to random charset alias, pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition...