Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Open network signup gives PR:N/UI:N; crafting a username that normalizes to a victim's scope plus the non-default config warrants AC:H; the victim's files become fully readable and writable, so C/I/A:H.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser builds new user scopes from usernames passed through cleanUsername() when Signup=true and CreateUserDir=true, but the many-to-one normalization can collapse usernames such as team/one, team one, and team-one to the same home directory without checking whether the resulting scope is already taken, allowing a second registrant to gain full read and write access to another user's files. This issue is fixed in version 2.63.17.
AnalysisAI
Home-directory hijacking in File Browser before 2.63.17 lets an unauthenticated attacker gain full read/write access to another user's files by registering a username that normalizes to a victim's scope. Because cleanUsername() is a many-to-one transform, distinct usernames such as team/one, team one, and team-one collapse to the same home directory, and the signup path never checked whether the derived scope was already owned. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the instance to run with both the Signup feature enabled (Signup=true) and per-user home-directory creation enabled (CreateUserDir=true) - neither is a universal default, so this is a configuration-dependent flaw. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H): network-reachable, unauthenticated, no user interaction, with high confidentiality, integrity, and availability impact on the victim's files, but High attack complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a File Browser instance with open signup and per-user directories enabled, an attacker learns or guesses a target's username (e.g., a display name containing a space or slash) and registers a distinct variant that cleanUsername() normalizes to the same scope. The server hands the attacker the victim's existing home directory, granting full read, modification, and deletion of the victim's files. … |
| Remediation | Vendor-released patch: upgrade to File Browser v2.63.17, which adds a GetByScope() check in the signup handler that returns HTTP 409 Conflict when a newly derived home-directory scope is already owned (fix commit 883a36f02fcb69566a8628cb47f18fdc73348387; advisory GHSA-7rc3-g7h6-22m7). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all File Browser deployments and their current versions; immediately isolate the service from production networks or disable it if operations permit. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Filebrowser
View allUnauthorized file operations in File Browser before fix. PoC and patch available.
A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate pr
Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictio
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public s
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ
Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password
Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all
Filebrowser versions up to 2.55.0 contains a vulnerability that allows attackers to enumerate valid usernames by measuri
Pre-authentication remote code execution in File Browser before 2.63.6 lets unauthenticated attackers run arbitrary OS c
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44708