Skip to main content

File Browser CVE-2026-62683

| EUVDEUVD-2026-44705 LOW
Incorrect Authorization (CWE-863)
2026-07-15 GitHub_M
3.1
CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
3.1 LOW

AC:H for the mandatory multi-step precondition chain; PR:L because directory deletion requires authentication; C:L as the sole impact is unauthorized read of files at the recreated path.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 17:48 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 16:19 vuln.today
Analysis Generated
Jul 15, 2026 - 16:19 vuln.today

DescriptionCVE.org

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser can leave a public directory share behind when the shared directory is deleted through a path with a trailing slash because the share cleanup path calls DeleteWithPathPrefix(file.Path, userID) and the Bolt backend performs the database prefix query with the unnormalized path before trimming the slash for boundary checks, so deleting /a/ does not delete the stored /a share and the stale public share exposes future content if the same path is recreated. This issue is fixed in version 2.63.17.

AnalysisAI

File Browser prior to 2.63.17 retains stale public directory share records after a shared directory is deleted via a trailing-slash path, because the Bolt storage backend queries for shares using the unnormalized path before trimming the slash - causing the exact-match share record (stored as '/a') to be missed by a query against '/a/'. If the directory is subsequently recreated at the same path, any holder of the original share URL immediately gains unauthorized read access to the new directory contents. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticated user creates public share for directory
Delivery
Directory deleted via trailing-slash API path
Exploit
Bolt prefix query misses stored share record
Execution
Stale share remains active in database
Persist
Administrator recreates directory at same path with new content
Impact
Share-link holder accesses new content via stale URL without authorization

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following specific conditions to be met simultaneously: (1) A public share must have been previously created for a directory on the File Browser instance, stored in BoltDB as path '/X' (without trailing slash); (2) that directory must be deleted via the trailing-slash API path (e.g., 'DELETE /api/resources/X/'), which is the standard behavior of the File Browser web UI and REST API for directory resources - this requires the deleting user to have at least low-privilege authenticated access; (3) the same directory path must be subsequently recreated and populated with content. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-reported CVSS 3.1 score of 3.1 (Low) is consistent with the constrained exploitation scenario: AC:H reflects the multi-step precondition chain (active share exists, deletion must use trailing-slash path, and the same path must be recreated); PR:L confirms an authenticated user is required to trigger the deletion; and C:L bounds impact to unauthorized read of files placed at the recreated path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privilege user creates a public share link for the directory '/a/' on a File Browser instance. The user (or an administrator) then deletes '/a/' through the standard web interface, which issues the request as 'DELETE /api/resources/a/' - triggering the buggy trailing-slash code path that leaves the '/a' share record intact in BoltDB. …
Remediation Upgrade to File Browser version 2.63.17 or later, available at https://github.com/filebrowser/filebrowser/releases/tag/v2.63.17. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-29188 CRITICAL POC
9.1 Mar 05

Unauthorized file operations in File Browser before fix. PoC and patch available.

CVE-2023-39612 CRITICAL POC
9.0 Sep 16

A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate pr

CVE-2026-25890 HIGH POC
8.1 Feb 09

Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictio

CVE-2025-52995 HIGH POC
8.0 Jun 30

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2025-52902 HIGH POC
7.6 Jun 26

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2026-28492 MEDIUM POC
6.5 Mar 05

File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public s

CVE-2025-52997 MEDIUM POC
5.9 Jun 30

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2025-52900 MEDIUM POC
5.5 Jun 26

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2026-25889 MEDIUM POC
5.4 Feb 09

Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password

CVE-2026-48777 CRITICAL
9.3 Jun 16

Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all

CVE-2026-23849 MEDIUM POC
5.3 Jan 19

Filebrowser versions up to 2.55.0 contains a vulnerability that allows attackers to enumerate valid usernames by measuri

CVE-2026-54088 CRITICAL POC
9.3 Jun 25

Pre-authentication remote code execution in File Browser before 2.63.6 lets unauthenticated attackers run arbitrary OS c

Share

CVE-2026-62683 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy