Skip to main content

File Browser CVE-2026-55667

| EUVDEUVD-2026-39539 HIGH
Path Traversal (CWE-22)
2026-06-25 GitHub_M
8.2
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.2 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H
vuln.today AI
8.2 HIGH

Network-reachable web app (AV:N) abused by an authenticated create-only user (PR:L); AC:H because a pre-existing escaping symlink is required; S:C as deletion crosses the scope boundary; C:N with I:H/A:H for destructive file deletion.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 25, 2026 - 20:03 EUVD
CVE Published
Jun 25, 2026 - 18:56 cve.org
HIGH 8.2
Analysis Generated
Jun 25, 2026 - 18:54 vuln.today

DescriptionCVE.org

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.16, a scoped, non-admin File Browser user holding only the Create permission can delete arbitrary files outside their scope (other tenants' data, and the application's own database) via the upload failure-cleanup path. ScopedFs.RemoveAll is the one dereferencing operation that skips the symlink guard every other method enforces. The direct-upload handler runs RemoveAll on the user-controlled path during failed-upload cleanup, gated only by Perm.Create. If an escaping directory symlink already exists inside the user's scope, an authenticated create-only user can delete an out-of-scope target, bypassing both the ScopedFs boundary and the Perm.Delete gate. This vulnerability is fixed in 2.63.16.

AnalysisAI

Arbitrary file deletion in File Browser before 2.63.16 lets a scoped, non-admin user holding only the Create permission destroy files outside their assigned scope - including other tenants' data and the application's own database. The flaw lives in the failed-upload cleanup path, where ScopedFs.RemoveAll is the single dereferencing operation that omits the symlink guard enforced everywhere else, so an attacker who plants an escaping directory symlink inside their scope can delete out-of-scope targets while only authenticated as a create-only user. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as create-only scoped user
Delivery
Plant escaping directory symlink in scope
Exploit
Trigger failing direct upload on that path
Execution
RemoveAll follows symlink past scope guard
Impact
Delete out-of-scope files or app database

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated File Browser account with the Perm.Create permission (PR:L) and an escaping directory symlink that already exists inside the attacker's own scope - the attack abuses the direct-upload handler's failed-upload cleanup, which calls ScopedFs.RemoveAll (the one method that skips the symlink guard) on the user-controlled path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H, base 8.2) is internally consistent with the description: a network-reachable web app (AV:N), an authenticated create-only user (PR:L), no user interaction, and high integrity/availability impact from arbitrary deletion (C:N because data is destroyed rather than read), with changed scope (S:C) because the impact crosses the ScopedFs/tenant boundary and reaches the application database. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker provisioned as a low-privilege, create-only tenant on a shared File Browser instance first places an escaping directory symlink inside their own scope, then triggers a direct upload that is made to fail. During failed-upload cleanup the handler calls the unguarded ScopedFs.RemoveAll on the attacker-controlled path, follows the symlink, and recursively deletes an out-of-scope target such as another tenant's files or the application's own database. …
Remediation Upgrade to File Browser 2.63.16 or later, which restores the symlink guard on the RemoveAll cleanup path; this is the primary and complete fix (Vendor-released patch: 2.63.16, per advisory https://github.com/filebrowser/filebrowser/security/advisories/GHSA-fmm7-x4gx-8jhr). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-29188 CRITICAL POC
9.1 Mar 05

Unauthorized file operations in File Browser before fix. PoC and patch available.

CVE-2023-39612 CRITICAL POC
9.0 Sep 16

A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate pr

CVE-2026-25890 HIGH POC
8.1 Feb 09

Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictio

CVE-2025-52995 HIGH POC
8.0 Jun 30

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2025-52902 HIGH POC
7.6 Jun 26

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2026-28492 MEDIUM POC
6.5 Mar 05

File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public s

CVE-2025-52997 MEDIUM POC
5.9 Jun 30

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2025-52900 MEDIUM POC
5.5 Jun 26

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2026-25889 MEDIUM POC
5.4 Feb 09

Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password

CVE-2026-48777 CRITICAL
9.3 Jun 16

Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all

CVE-2026-23849 MEDIUM POC
5.3 Jan 19

Filebrowser versions up to 2.55.0 contains a vulnerability that allows attackers to enumerate valid usernames by measuri

CVE-2026-54088 CRITICAL POC
9.3 Jun 25

Pre-authentication remote code execution in File Browser before 2.63.6 lets unauthenticated attackers run arbitrary OS c

Share

CVE-2026-55667 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy