Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
AC:H for the mandatory multi-step precondition chain; PR:L because directory deletion requires authentication; C:L as the sole impact is unauthorized read of files at the recreated path.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser can leave a public directory share behind when the shared directory is deleted through a path with a trailing slash because the share cleanup path calls DeleteWithPathPrefix(file.Path, userID) and the Bolt backend performs the database prefix query with the unnormalized path before trimming the slash for boundary checks, so deleting /a/ does not delete the stored /a share and the stale public share exposes future content if the same path is recreated. This issue is fixed in version 2.63.17.
AnalysisAI
File Browser prior to 2.63.17 retains stale public directory share records after a shared directory is deleted via a trailing-slash path, because the Bolt storage backend queries for shares using the unnormalized path before trimming the slash - causing the exact-match share record (stored as '/a') to be missed by a query against '/a/'. If the directory is subsequently recreated at the same path, any holder of the original share URL immediately gains unauthorized read access to the new directory contents. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following specific conditions to be met simultaneously: (1) A public share must have been previously created for a directory on the File Browser instance, stored in BoltDB as path '/X' (without trailing slash); (2) that directory must be deleted via the trailing-slash API path (e.g., 'DELETE /api/resources/X/'), which is the standard behavior of the File Browser web UI and REST API for directory resources - this requires the deleting user to have at least low-privilege authenticated access; (3) the same directory path must be subsequently recreated and populated with content. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-reported CVSS 3.1 score of 3.1 (Low) is consistent with the constrained exploitation scenario: AC:H reflects the multi-step precondition chain (active share exists, deletion must use trailing-slash path, and the same path must be recreated); PR:L confirms an authenticated user is required to trigger the deletion; and C:L bounds impact to unauthorized read of files placed at the recreated path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privilege user creates a public share link for the directory '/a/' on a File Browser instance. The user (or an administrator) then deletes '/a/' through the standard web interface, which issues the request as 'DELETE /api/resources/a/' - triggering the buggy trailing-slash code path that leaves the '/a' share record intact in BoltDB. … |
| Remediation | Upgrade to File Browser version 2.63.17 or later, available at https://github.com/filebrowser/filebrowser/releases/tag/v2.63.17. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Filebrowser
View allUnauthorized file operations in File Browser before fix. PoC and patch available.
A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate pr
Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictio
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public s
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password
Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all
Filebrowser versions up to 2.55.0 contains a vulnerability that allows attackers to enumerate valid usernames by measuri
Pre-authentication remote code execution in File Browser before 2.63.6 lets unauthenticated attackers run arbitrary OS c
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44705