What is the CVSS score of EUVD-2025-19580?

EUVD-2025-19580 has a CVSS 3.1 base score of 8.0 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Filebrowser are affected by EUVD-2025-19580?

CVE-2025-52995 presents notable security risk, a command injection vulnerability rated CVSS 8.0.. A patch is available.

Is there a public PoC exploit available for EUVD-2025-19580?

Yes, a public proof-of-concept exploit is available for EUVD-2025-19580. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate EUVD-2025-19580?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Validate that input sanitization is in place for all user-controlled parameters.

Filebrowser EUVD-2025-19580

| CVE-2025-52995 HIGH

Command Injection (CWE-77)

2025-06-30 security-advisories@github.com

GHSA-w7qc-6grj-w7r8

Command Injection Filebrowser Suse

8.0

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.0 HIGH

AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

SUSE

6.6 MEDIUM

AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 16, 2026 - 01:25 euvd

EUVD-2025-19580

Analysis Generated

Mar 16, 2026 - 01:25 vuln.today

Patch released

Mar 16, 2026 - 01:25 nvd

Patch available

PoC Detected

Jul 10, 2025 - 14:21 vuln.today

Public exploit code

CVE Published

Jun 30, 2025 - 20:15 nvd

HIGH 8.0

DescriptionGitHub Advisory

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.10, the implementation of the allowlist is erroneous, allowing a user to execute more shell commands than they are authorized for. The concrete impact of this vulnerability depends on the commands configured, and the binaries installed on the server or in the container image. Due to the missing separation of scopes on the OS-level, this could give an attacker access to all files managed the application, including the File Browser database. This issue has been patched in version 2.33.10.

Analysis

Technical ContextAI

Command injection allows an attacker to execute arbitrary OS commands on the host system through a vulnerable application that passes user input to system shells.

RemediationAI

A vendor patch is available — apply it immediately. Avoid passing user input to system commands. Use language-specific APIs instead of shell commands. If unavoidable, use strict input validation and escaping.

More from same product – last 7 days

CVE-2026-48777 CRITICAL Act Now

9.3 Jun 16

Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all

Vendor StatusVendor

SUSE

Severity: Medium

Product	Status
SUSE Linux Enterprise Server 16.0	Fixed
openSUSE Tumbleweed	Fixed

EUVD-2025-19580 vulnerability details – vuln.today

Back

Filebrowser EUVD-2025-19580

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Analysis

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code