Filebrowser
Monthly
Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta allows holders of a public share link with AllowModify=true to move, copy, or rename arbitrary files within the share owner's source root by abusing the publicPatchHandler in backend/http/public.go. The flaw stems from filepath.Join collapsing ../ segments BEFORE the SanitizeUserPath check runs, an identical pattern to the previously patched DELETE endpoint (CVE-2026-44542). No public exploit identified at time of analysis, but the GHSA advisory documents the exact code path and the issue is rated CVSS 4.0 9.3 (Critical).
Auto-provisioned users in File Browser's proxy authentication flow inherit elevated execution permissions that were explicitly blocked in the self-registration flow, enabling unauthorized command execution. Versions prior to 2.63.1 grant execute capabilities to proxy-auth users from global defaults, bypassing security controls added in commit b6a4fb1. This affects File Browser instances using proxy authentication for automatic user provisioning. No public exploit identified at time of analysis, though EPSS probability warrants attention given the network-accessible attack surface and high confidentiality/integrity impact.
File Browser versions prior to 2.63.1 allow authenticated users with download permission disabled to bypass access controls and read arbitrary text file content through the resourceGetHandler endpoint in http/resource.go, which fails to validate the Perm.Download permission flag unlike three other content-serving endpoints that correctly enforce this check. This authentication bypass affects any File Browser deployment where users are granted access but restricted from downloading files, and is fixed in version 2.63.1.
File Browser versions prior to 2.63.1 contain a path traversal vulnerability in the Matches() function that fails to enforce directory boundaries when evaluating access control rules. An attacker can bypass intended access restrictions by exploiting the use of strings.HasPrefix() without trailing directory separators, allowing a rule intended to restrict access to /uploads to inadvertently grant or deny access to similarly-named directories such as /uploads_backup/. This affects all File Browser versions before 2.63.1 and requires network access but no authentication or user interaction; no public exploit code or active exploitation has been confirmed at time of analysis.
Authorization bypass in File Browser allows unauthenticated access to shared files after permissions revoked. When administrators revoke a user's Share and Download permissions in File Browser (versions prior to 2.63.1), previously created share links remain accessible to unauthenticated users due to missing permission re-validation in the public share handler. This CWE-863 authorization flaw enables persistent unauthorized data access with high confidentiality impact (CVSS 8.2), though no public exploit or active exploitation (not in CISA KEV) has been identified at time of analysis.
Remote code execution in File Browser versions 2.0.0 through 2.63.1 allows authenticated administrators to execute arbitrary OS commands via malicious filenames. The vulnerability stems from unsanitized variable substitution in the hook system, which processes file events (upload, rename, delete) using administrator-defined shell commands. Attackers with file write permissions can inject shell metacharacters into filenames that trigger command execution when hooks fire. No public exploit identified at time of analysis, though EPSS data not provided. The vulnerable feature has been disabled by default from v2.33.8 onwards as a mitigation measure.
Stored cross-site scripting in FileBrowser versions prior to 1.3.1-beta and 1.2.2-stable allows authenticated attackers to inject malicious scripts through share metadata fields that are improperly rendered without HTML escaping. When victims visit affected share URLs, the injected scripts execute in their browsers with full privileges, potentially leading to session hijacking, credential theft, or further compromise. A patch is available in the fixed versions, though exploitation currently shows 0% adoption likelihood.
FileBrowser versions prior to 1.3.1-beta and 1.2.2-stable leak authentication tokens through the /public/api/share/info endpoint, allowing unauthenticated attackers to bypass password protections on shared files. The vulnerability stems from an incomplete fix to CVE-2026-27611 and enables token disclosure that could facilitate unauthorized file access. No patch is currently available for affected installations.
Unauthorized file operations in File Browser before fix. PoC and patch available.
File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public share links, enabling any user with a share link to access and download files from sibling directories beyond the intended shared folder. This authenticated network-based vulnerability affects Golang and Filebrowser and has public exploit code available. The issue is resolved in version 2.61.0 and later.
Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictions by injecting multiple slashes into request URLs, enabling unauthorized access to files designated as restricted. The vulnerability exploits a mismatch between the authorization validation logic and filesystem path resolution, affecting users running vulnerable versions. Public exploit code exists for this high-severity issue.
Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password due to case-sensitive validation logic that can be bypassed using mixed-case field names in API requests. An attacker with a valid JWT token obtained through XSS, session hijacking, or similar means could exploit this to perform account takeover. Public exploit code exists for this vulnerability, and a patch is available.
Filebrowser versions up to 2.55.0 contains a vulnerability that allows attackers to enumerate valid usernames by measuring the response time of the /api/login endpo (CVSS 5.3).
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.34.1, a missing password policy and brute-force protection makes the authentication process insecure. Attackers could mount a brute-force attack to retrieve the passwords of all accounts in a given instance. This issue has been patched in version 2.34.1.
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.10, the implementation of the allowlist is erroneous, allowing a user to execute more shell commands than they are authorized for. The concrete impact of this vulnerability depends on the commands configured, and the binaries installed on the server or in the container image. Due to the missing separation of scopes on the OS-level, this could give an attacker access to all files managed the application, including the File Browser database. This issue has been patched in version 2.33.10.
CVE-2025-52901 is a security vulnerability (CVSS 4.5). Risk factors: public PoC available. Vendor patch is available.
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The Markdown preview function of File Browser prior to v2.33.7 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser. Version 2.33.7 contains a fix for the issue.
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same is true for the database used by File Browser. On standard servers using File Browser prior to version 2.33.7 where the umask configuration has not been hardened before, this makes all the stated files readable by any operating system account. Version 2.33.7 fixes the issue.
Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta allows holders of a public share link with AllowModify=true to move, copy, or rename arbitrary files within the share owner's source root by abusing the publicPatchHandler in backend/http/public.go. The flaw stems from filepath.Join collapsing ../ segments BEFORE the SanitizeUserPath check runs, an identical pattern to the previously patched DELETE endpoint (CVE-2026-44542). No public exploit identified at time of analysis, but the GHSA advisory documents the exact code path and the issue is rated CVSS 4.0 9.3 (Critical).
Auto-provisioned users in File Browser's proxy authentication flow inherit elevated execution permissions that were explicitly blocked in the self-registration flow, enabling unauthorized command execution. Versions prior to 2.63.1 grant execute capabilities to proxy-auth users from global defaults, bypassing security controls added in commit b6a4fb1. This affects File Browser instances using proxy authentication for automatic user provisioning. No public exploit identified at time of analysis, though EPSS probability warrants attention given the network-accessible attack surface and high confidentiality/integrity impact.
File Browser versions prior to 2.63.1 allow authenticated users with download permission disabled to bypass access controls and read arbitrary text file content through the resourceGetHandler endpoint in http/resource.go, which fails to validate the Perm.Download permission flag unlike three other content-serving endpoints that correctly enforce this check. This authentication bypass affects any File Browser deployment where users are granted access but restricted from downloading files, and is fixed in version 2.63.1.
File Browser versions prior to 2.63.1 contain a path traversal vulnerability in the Matches() function that fails to enforce directory boundaries when evaluating access control rules. An attacker can bypass intended access restrictions by exploiting the use of strings.HasPrefix() without trailing directory separators, allowing a rule intended to restrict access to /uploads to inadvertently grant or deny access to similarly-named directories such as /uploads_backup/. This affects all File Browser versions before 2.63.1 and requires network access but no authentication or user interaction; no public exploit code or active exploitation has been confirmed at time of analysis.
Authorization bypass in File Browser allows unauthenticated access to shared files after permissions revoked. When administrators revoke a user's Share and Download permissions in File Browser (versions prior to 2.63.1), previously created share links remain accessible to unauthenticated users due to missing permission re-validation in the public share handler. This CWE-863 authorization flaw enables persistent unauthorized data access with high confidentiality impact (CVSS 8.2), though no public exploit or active exploitation (not in CISA KEV) has been identified at time of analysis.
Remote code execution in File Browser versions 2.0.0 through 2.63.1 allows authenticated administrators to execute arbitrary OS commands via malicious filenames. The vulnerability stems from unsanitized variable substitution in the hook system, which processes file events (upload, rename, delete) using administrator-defined shell commands. Attackers with file write permissions can inject shell metacharacters into filenames that trigger command execution when hooks fire. No public exploit identified at time of analysis, though EPSS data not provided. The vulnerable feature has been disabled by default from v2.33.8 onwards as a mitigation measure.
Stored cross-site scripting in FileBrowser versions prior to 1.3.1-beta and 1.2.2-stable allows authenticated attackers to inject malicious scripts through share metadata fields that are improperly rendered without HTML escaping. When victims visit affected share URLs, the injected scripts execute in their browsers with full privileges, potentially leading to session hijacking, credential theft, or further compromise. A patch is available in the fixed versions, though exploitation currently shows 0% adoption likelihood.
FileBrowser versions prior to 1.3.1-beta and 1.2.2-stable leak authentication tokens through the /public/api/share/info endpoint, allowing unauthenticated attackers to bypass password protections on shared files. The vulnerability stems from an incomplete fix to CVE-2026-27611 and enables token disclosure that could facilitate unauthorized file access. No patch is currently available for affected installations.
Unauthorized file operations in File Browser before fix. PoC and patch available.
File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public share links, enabling any user with a share link to access and download files from sibling directories beyond the intended shared folder. This authenticated network-based vulnerability affects Golang and Filebrowser and has public exploit code available. The issue is resolved in version 2.61.0 and later.
Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictions by injecting multiple slashes into request URLs, enabling unauthorized access to files designated as restricted. The vulnerability exploits a mismatch between the authorization validation logic and filesystem path resolution, affecting users running vulnerable versions. Public exploit code exists for this high-severity issue.
Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password due to case-sensitive validation logic that can be bypassed using mixed-case field names in API requests. An attacker with a valid JWT token obtained through XSS, session hijacking, or similar means could exploit this to perform account takeover. Public exploit code exists for this vulnerability, and a patch is available.
Filebrowser versions up to 2.55.0 contains a vulnerability that allows attackers to enumerate valid usernames by measuring the response time of the /api/login endpo (CVSS 5.3).
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.34.1, a missing password policy and brute-force protection makes the authentication process insecure. Attackers could mount a brute-force attack to retrieve the passwords of all accounts in a given instance. This issue has been patched in version 2.34.1.
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.10, the implementation of the allowlist is erroneous, allowing a user to execute more shell commands than they are authorized for. The concrete impact of this vulnerability depends on the commands configured, and the binaries installed on the server or in the container image. Due to the missing separation of scopes on the OS-level, this could give an attacker access to all files managed the application, including the File Browser database. This issue has been patched in version 2.33.10.
CVE-2025-52901 is a security vulnerability (CVSS 4.5). Risk factors: public PoC available. Vendor patch is available.
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The Markdown preview function of File Browser prior to v2.33.7 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser. Version 2.33.7 contains a fix for the issue.
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same is true for the database used by File Browser. On standard servers using File Browser prior to version 2.33.7 where the umask configuration has not been hardened before, this makes all the stated files readable by any operating system account. Version 2.33.7 fixes the issue.