CVE-2025-52903Command Injection in Filebrowser

CWE-77Command InjectionCWE-183Permissive List of Allowed InputsCWE-749Exposed Dangerous Method or FunctionCWE-88Argument Injection5 documents4 sources
Severity
8.0HIGHNVD
EPSS
0.5%
top 35.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
FilebrowserGithub.com Filebrowser Filebrowser V2Github.com Filebrowser Filebrowser
Timeline
PublishedJun 26
Latest updateJul 28

Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In version 2.32.0, the Command Execution feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void. The concrete impact depends on the commands being granted to the attacker, but the large num

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 1.3 | Impact: 6.0

Affected Packages4 packages

CVEListV5filebrowser/filebrowser< 2.33.10

🔴Vulnerability Details

4
OSV
filebrowser Allows Shell Commands to Spawn Other Commands in github.com/filebrowser/filebrowser2025-07-28
OSV
filebrowser Allows Shell Commands to Spawn Other Commands2025-06-27
GHSA
filebrowser Allows Shell Commands to Spawn Other Commands2025-06-27
CVEList
File Browser Allows Execution of Shell Commands That Can Spawn Other Commands2025-06-26
CVE-2025-52903 — Command Injection in Filebrowser | cvebase