What is the CVSS score of CVE-2026-29188?

CVE-2026-29188 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Filebrowser are affected by CVE-2026-29188?

CVE-2026-29188 is a critical vulnerability in file browser functionality that could allow attackers to gain unauthorized access to upload, delete, or modify files within your systems.. A patch is available.

Is there a public PoC exploit available for CVE-2026-29188?

Yes, a public proof-of-concept exploit is available for CVE-2026-29188. Prioritise patching immediately. EPSS: 0.1%.

Filebrowser CVE-2026-29188

CRITICAL

Improper Access Control (CWE-284)

2026-03-05 security-advisories@github.com

GHSA-79pf-vx4x-7jmm

Authentication Bypass Filebrowser Suse

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

PoC Detected

Mar 10, 2026 - 19:42 vuln.today

Public exploit code

Patch released

Mar 10, 2026 - 19:42 nvd

Patch available

CVE Published

Mar 05, 2026 - 21:16 nvd

CRITICAL 9.1

DescriptionNVD

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.

AnalysisAI

Unauthorized file operations in File Browser before fix. PoC and patch available.

RemediationAI

Within 24 hours: Identify all systems running vulnerable file browser software and restrict external access to file management interfaces. Within 7 days: Apply the available vendor patch to all affected systems in a staged rollout starting with critical assets. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-29188 vulnerability details – vuln.today

Back

Filebrowser CVE-2026-29188

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code