Is there a patch available for EUVD-2026-19778?

Yes, a patch is available for EUVD-2026-19778. Update the affected software to the latest version immediately.

Filebrowser EUVD-2026-19778

Q: What is the CVSS score of EUVD-2026-19778?

EUVD-2026-19778 has a CVSS 4.0 base score of 6.3 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

| CVE-2026-35605 MEDIUM

Path Traversal (CWE-22)

2026-04-07 GitHub_M

GHSA-5q48-q4fm-g3m6

Path Traversal Filebrowser

6.3

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.3 MEDIUM

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch released

Apr 08, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 07, 2026 - 17:00 euvd

EUVD-2026-19778

Analysis Generated

Apr 07, 2026 - 17:00 vuln.today

CVE Published

Apr 07, 2026 - 16:24 nvd

MEDIUM 6.3

DescriptionGitHub Advisory

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the Matches() function in rules/rules.go uses strings.HasPrefix() without a trailing directory separator when matching paths against access rules. A rule for /uploads also matches /uploads_backup/, granting or denying access to unintended directories. This vulnerability is fixed in 2.63.1.

AnalysisAI

File Browser versions prior to 2.63.1 contain a path traversal vulnerability in the Matches() function that fails to enforce directory boundaries when evaluating access control rules. An attacker can bypass intended access restrictions by exploiting the use of strings.HasPrefix() without trailing directory separators, allowing a rule intended to restrict access to /uploads to inadvertently grant or deny access to similarly-named directories such as /uploads_backup/. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS v4.0 score of 6.3 reflects low-to-moderate severity with a network attack vector, high attack complexity, and low integrity impact (VI:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A File Browser administrator configures an access rule to restrict a sensitive directory: 'deny /sensitive_data'. Due to the vulnerability, a second directory named /sensitive_data_archive/ is also inadvertently denied access. …
Remediation	Upgrade File Browser to version 2.63.1 or later, which includes a corrected Matches() function that properly validates directory boundaries. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48777 CRITICAL Act Now

9.3 Jun 16

Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all

EUVD-2026-19778 vulnerability details – vuln.today

Back