Skip to main content

filebrowser EUVDEUVD-2026-43234

| CVE-2026-61874 LOW
Incorrect Authorization (CWE-863)
2026-07-12 VulnCheck GHSA-7cj6-cw3p-4jpw
2.3
CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.1 LOW

Network-reachable but requires authenticated access (PR:L) and a specific trailing-slash delete/recreate sequence (AC:H); confidentiality impact is partial via stale share URL only (C:L), no integrity or availability impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 12, 2026 - 12:52 vuln.today

DescriptionCVE.org

filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path, then recreate the same directory to expose new contents through the dormant public share URL.

AnalysisAI

Path normalization failure in filebrowser's DeleteWithPathPrefix function allows authenticated users on versions before 2.63.17 to leave stale public share records intact by deleting directories with trailing-slash paths. After deletion, an attacker can recreate the same directory path and cause its new contents to be silently exposed through the previously dormant, still-valid public share URL. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to filebrowser with low-privilege account
Delivery
Create public share for target directory
Exploit
Delete directory using trailing-slash path to bypass share index cleanup
Execution
Recreate directory at identical path
Persist
Victim user places files in recreated directory
Impact
New contents silently exposed via dormant public share URL

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated filebrowser account (PR:L per CVSS vector) with permission to create public shares and delete directories on a deployment running any version prior to 2.63.17. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) scores 2.3 and accurately reflects the constrained risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user on a shared filebrowser instance creates a public share for /team-docs/ and records the resulting public URL. The attacker then issues a delete request for /team-docs/ (with trailing slash), which bypasses path normalization in DeleteWithPathPrefix and leaves the share record intact. …
Remediation Upgrade filebrowser to version 2.63.17 or later, which incorporates the fix committed at https://github.com/filebrowser/filebrowser/commit/be23ab3a15bf957928ecfed88de5ab67850c1b9c. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-29188 CRITICAL POC
9.1 Mar 05

Unauthorized file operations in File Browser before fix. PoC and patch available.

CVE-2023-39612 CRITICAL POC
9.0 Sep 16

A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate pr

CVE-2026-25890 HIGH POC
8.1 Feb 09

Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictio

CVE-2025-52995 HIGH POC
8.0 Jun 30

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2025-52902 HIGH POC
7.6 Jun 26

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2026-28492 MEDIUM POC
6.5 Mar 05

File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public s

CVE-2025-52997 MEDIUM POC
5.9 Jun 30

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2025-52900 MEDIUM POC
5.5 Jun 26

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2026-25889 MEDIUM POC
5.4 Feb 09

Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password

CVE-2026-48777 CRITICAL
9.3 Jun 16

Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all

CVE-2026-23849 MEDIUM POC
5.3 Jan 19

Filebrowser versions up to 2.55.0 contains a vulnerability that allows attackers to enumerate valid usernames by measuri

CVE-2026-54088 CRITICAL POC
9.3 Jun 25

Pre-authentication remote code execution in File Browser before 2.63.6 lets unauthenticated attackers run arbitrary OS c

Share

EUVD-2026-43234 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy