What is the CVSS score of CVE-2025-52901?

CVE-2025-52901 has a CVSS 3.1 base score of 4.5 (Medium). CVSS vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Filebrowser are affected by CVE-2025-52901?

CVE-2025-52901 presents moderate security risk rated CVSS 4.5. Exploitation could compromise the security of affected deployments. Proof-of-concept code is publicly available.. A patch is available.

Is there a public PoC exploit available for CVE-2025-52901?

Yes, a public proof-of-concept exploit is available for CVE-2025-52901. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-52901?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Filebrowser CVE-2025-52901

EUVD-2025-19581 MEDIUM

Use of GET Request Method With Sensitive Query Strings (CWE-598)

2025-06-30 security-advisories@github.com

GHSA-rmwh-g367-mj4x

Information Disclosure Filebrowser Suse

4.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

4.5 MEDIUM

AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

SUSE

MEDIUM

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 16, 2026 - 01:25 euvd

EUVD-2025-19581

Analysis Generated

Mar 16, 2026 - 01:25 vuln.today

Patch released

Mar 16, 2026 - 01:25 nvd

Patch available

PoC Detected

Aug 04, 2025 - 18:15 vuln.today

Public exploit code

CVE Published

Jun 30, 2025 - 20:15 nvd

MEDIUM 4.5

DescriptionGitHub Advisory

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.9, access tokens are used as GET parameters. The JSON Web Token (JWT) which is used as a session identifier will get leaked to anyone having access to the URLs accessed by the user. This will give an attacker full access to a user's account and, in consequence, to all sensitive files the user has access to. This issue has been patched in version 2.33.9.

AnalysisAI

CVE-2025-52901 is a security vulnerability (CVSS 4.5). Risk factors: public PoC available. Vendor patch is available.

Technical ContextAI

Vulnerability type not specified by vendor.

RemediationAI

Apply the vendor-supplied patch immediately.

More from same product – last 7 days

CVE-2026-48777 CRITICAL Act Now

9.3 Jun 16

Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all

Vendor StatusVendor

SUSE

Severity: Medium

Product	Status
SUSE Linux Enterprise Server 16.0	Fixed
openSUSE Tumbleweed	Fixed

CVE-2025-52901 vulnerability details – vuln.today

Back

Filebrowser CVE-2025-52901

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code