Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H
Network-reachable web app (AV:N) abused by an authenticated create-only user (PR:L); AC:H because a pre-existing escaping symlink is required; S:C as deletion crosses the scope boundary; C:N with I:H/A:H for destructive file deletion.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.16, a scoped, non-admin File Browser user holding only the Create permission can delete arbitrary files outside their scope (other tenants' data, and the application's own database) via the upload failure-cleanup path. ScopedFs.RemoveAll is the one dereferencing operation that skips the symlink guard every other method enforces. The direct-upload handler runs RemoveAll on the user-controlled path during failed-upload cleanup, gated only by Perm.Create. If an escaping directory symlink already exists inside the user's scope, an authenticated create-only user can delete an out-of-scope target, bypassing both the ScopedFs boundary and the Perm.Delete gate. This vulnerability is fixed in 2.63.16.
AnalysisAI
Arbitrary file deletion in File Browser before 2.63.16 lets a scoped, non-admin user holding only the Create permission destroy files outside their assigned scope - including other tenants' data and the application's own database. The flaw lives in the failed-upload cleanup path, where ScopedFs.RemoveAll is the single dereferencing operation that omits the symlink guard enforced everywhere else, so an attacker who plants an escaping directory symlink inside their scope can delete out-of-scope targets while only authenticated as a create-only user. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated File Browser account with the Perm.Create permission (PR:L) and an escaping directory symlink that already exists inside the attacker's own scope - the attack abuses the direct-upload handler's failed-upload cleanup, which calls ScopedFs.RemoveAll (the one method that skips the symlink guard) on the user-controlled path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H, base 8.2) is internally consistent with the description: a network-reachable web app (AV:N), an authenticated create-only user (PR:L), no user interaction, and high integrity/availability impact from arbitrary deletion (C:N because data is destroyed rather than read), with changed scope (S:C) because the impact crosses the ScopedFs/tenant boundary and reaches the application database. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker provisioned as a low-privilege, create-only tenant on a shared File Browser instance first places an escaping directory symlink inside their own scope, then triggers a direct upload that is made to fail. During failed-upload cleanup the handler calls the unguarded ScopedFs.RemoveAll on the attacker-controlled path, follows the symlink, and recursively deletes an out-of-scope target such as another tenant's files or the application's own database. … |
| Remediation | Upgrade to File Browser 2.63.16 or later, which restores the symlink guard on the RemoveAll cleanup path; this is the primary and complete fix (Vendor-released patch: 2.63.16, per advisory https://github.com/filebrowser/filebrowser/security/advisories/GHSA-fmm7-x4gx-8jhr). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Filebrowser
View allUnauthorized file operations in File Browser before fix. PoC and patch available.
A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate pr
Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictio
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public s
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password
Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all
Filebrowser versions up to 2.55.0 contains a vulnerability that allows attackers to enumerate valid usernames by measuri
Pre-authentication remote code execution in File Browser before 2.63.6 lets unauthenticated attackers run arbitrary OS c
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39539