How to fix CVE-2026-25890?

Within 24 hours: Identify all systems running File Browser versions prior to 2.57.1 and assess which contain sensitive data. Within 7 days: Apply the available patch to version 2.57.1 or later across all affected instances. Within 30 days: Conduct access logs audit for the past 30-90 days to determine if the vulnerability was exploited, and review file access permissions to ensure proper segmentation.

Is Filebrowser affected by CVE-2026-25890?

A HIGH severity vulnerability in File Browser (CVE-2026-25890) allows authenticated users to bypass file access restrictions and view confidential files through URL manipulation.

CVE-2026-25890

HIGH

2026-02-09 [email protected]

GHSA-4mh3-h929-w968

8.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 20, 2026 - 20:31 vuln.today

Public exploit code

Patch Released

Feb 20, 2026 - 20:31 nvd

Patch available

CVE Published

Feb 09, 2026 - 22:16 nvd

HIGH 8.1

Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By adding multiple slashes (e.g., //private/) to the path, the authorization check fails to match the rule, while the underlying filesystem resolves the path correctly, granting unauthorized access to restricted files. This vulnerability is fixed in 2.57.1.

Analysis

Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictions by injecting multiple slashes into request URLs, enabling unauthorized access to files designated as restricted. The vulnerability exploits a mismatch between the authorization validation logic and filesystem path resolution, affecting users running vulnerable versions. …

Remediation

Within 24 hours: Identify all systems running File Browser versions prior to 2.57.1 and assess which contain sensitive data. Within 7 days: Apply the available patch to version 2.57.1 or later across all affected instances. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +40

POC: +20

Vendor Status

CVE-2026-25890 vulnerability details – vuln.today

Back

CVE-2026-25890

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Vendor Status

Share

CVE-2026-25890

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Vendor Status

Share

External POC / Exploit Code