Skip to main content

File Browser CVE-2026-55668

| EUVDEUVD-2026-42272 MEDIUM
Path Traversal (CWE-22)
2026-07-08 security-advisories@github.com
6.3
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
6.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
vuln.today AI
6.3 MEDIUM

Network-delivered via web API (AV:N), symlink sequencing adds real complexity (AC:H), requires authenticated Create+Modify user (PR:L), scope changes to host filesystem (S:C), integrity-only impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 16:04 vuln.today
Patch available
Jul 08, 2026 - 16:01 EUVD

DescriptionCVE.org

File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create attacker-controlled files outside the user's scope. This issue is fixed in version 2.63.16.

AnalysisAI

Symlink-based path traversal in File Browser prior to 2.63.16 allows an authenticated low-privilege user with Create and Modify permissions to write attacker-controlled files outside their designated scope. The flaw resides in ScopedFs, which validates only the nearest existing ancestor of a dangling symlink - leaving it in-scope - and then follows the symlink during file creation, landing the resulting file in an arbitrary location on the underlying filesystem. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege filebrowser user
Delivery
Create dangling symlink inside permitted scope pointing to out-of-scope path
Exploit
Trigger file creation via symlink path through web API
Execution
ScopedFs validates in-scope ancestor and approves request
Impact
File written to attacker-chosen out-of-scope filesystem location

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid authenticated session in filebrowser (PR:L - low-privilege account) AND that account must have both Create and Modify permissions explicitly granted within the application. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 base score of 6.3 (AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N) accurately captures the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated filebrowser user with Create and Modify permissions crafts a dangling symbolic link inside their permitted scope directory, pointing to a sensitive path outside it (e.g., /etc/cron.d/). The user then triggers a file creation operation through that symlink path via the web API; ScopedFs approves the operation because the symlink's existing ancestor is in-scope, and the resulting file is written to /etc/cron.d/ on the host. …
Remediation Upgrade filebrowser to version 2.63.16 or later, which resolves the ScopedFs ancestor-validation flaw; the fix commit is available at https://github.com/filebrowser/filebrowser/commit/64511ce45e3be379e965f7f4fb0929a068d5bb81. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55668 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy