Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
Primary rating from Vendor (GitHub_M) · only source for this CVE.
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.63.6 to 2.63.16, File Browser's archive builder uses strings.ReplaceAll(nameInArchive, "\", "/"), which turns a POSIX filename such as ..\..\evil.sh into the archive entry ../../evil.sh, allowing a user with upload permission to plant a backslash-named file that escapes the extraction directory when another user downloads and extracts the generated zip or tar archive. This issue is fixed in version 2.63.17.
AnalysisAI
Zip-slip path traversal in File Browser 2.63.6–2.63.16 allows a low-privileged user with upload permission to plant a POSIX backslash-named file that the archive builder incorrectly normalizes into a directory traversal sequence, enabling arbitrary file write on any victim who downloads and extracts the generated archive. The root cause is the server-side conversion of \ to / in archive entry names, which manufactures paths like ../../evil.sh from the legal POSIX filename ..\..\evil.sh. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Filebrowser
View allUnauthorized file operations in File Browser before fix. PoC and patch available.
A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate pr
Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictio
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public s
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password
Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all
Filebrowser versions up to 2.55.0 contains a vulnerability that allows attackers to enumerate valid usernames by measuri
Pre-authentication remote code execution in File Browser before 2.63.6 lets unauthenticated attackers run arbitrary OS c
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44707