Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
Network-delivered via web API (AV:N), symlink sequencing adds real complexity (AC:H), requires authenticated Create+Modify user (PR:L), scope changes to host filesystem (S:C), integrity-only impact.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create attacker-controlled files outside the user's scope. This issue is fixed in version 2.63.16.
AnalysisAI
Symlink-based path traversal in File Browser prior to 2.63.16 allows an authenticated low-privilege user with Create and Modify permissions to write attacker-controlled files outside their designated scope. The flaw resides in ScopedFs, which validates only the nearest existing ancestor of a dangling symlink - leaving it in-scope - and then follows the symlink during file creation, landing the resulting file in an arbitrary location on the underlying filesystem. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid authenticated session in filebrowser (PR:L - low-privilege account) AND that account must have both Create and Modify permissions explicitly granted within the application. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 base score of 6.3 (AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N) accurately captures the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated filebrowser user with Create and Modify permissions crafts a dangling symbolic link inside their permitted scope directory, pointing to a sensitive path outside it (e.g., /etc/cron.d/). The user then triggers a file creation operation through that symlink path via the web API; ScopedFs approves the operation because the symlink's existing ancestor is in-scope, and the resulting file is written to /etc/cron.d/ on the host. … |
| Remediation | Upgrade filebrowser to version 2.63.16 or later, which resolves the ScopedFs ancestor-validation flaw; the fix commit is available at https://github.com/filebrowser/filebrowser/commit/64511ce45e3be379e965f7f4fb0929a068d5bb81. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42272