Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable but requires authenticated access (PR:L) and a specific trailing-slash delete/recreate sequence (AC:H); confidentiality impact is partial via stale share URL only (C:L), no integrity or availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path, then recreate the same directory to expose new contents through the dormant public share URL.
AnalysisAI
Path normalization failure in filebrowser's DeleteWithPathPrefix function allows authenticated users on versions before 2.63.17 to leave stale public share records intact by deleting directories with trailing-slash paths. After deletion, an attacker can recreate the same directory path and cause its new contents to be silently exposed through the previously dormant, still-valid public share URL. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated filebrowser account (PR:L per CVSS vector) with permission to create public shares and delete directories on a deployment running any version prior to 2.63.17. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) scores 2.3 and accurately reflects the constrained risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user on a shared filebrowser instance creates a public share for /team-docs/ and records the resulting public URL. The attacker then issues a delete request for /team-docs/ (with trailing slash), which bypasses path normalization in DeleteWithPathPrefix and leaves the share record intact. … |
| Remediation | Upgrade filebrowser to version 2.63.17 or later, which incorporates the fix committed at https://github.com/filebrowser/filebrowser/commit/be23ab3a15bf957928ecfed88de5ab67850c1b9c. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Filebrowser
View allUnauthorized file operations in File Browser before fix. PoC and patch available.
A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate pr
Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictio
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public s
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password
Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all
Filebrowser versions up to 2.55.0 contains a vulnerability that allows attackers to enumerate valid usernames by measuri
Pre-authentication remote code execution in File Browser before 2.63.6 lets unauthenticated attackers run arbitrary OS c
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43234
GHSA-7cj6-cw3p-4jpw