CVE-2025-52904Command Injection in Filebrowser

CWE-77Command Injection5 documents4 sources
Severity
8.0HIGHNVD
EPSS
0.4%
top 38.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
FilebrowserGithub.com Filebrowser FilebrowserGithub.com Filebrowser Filebrowser V2
Timeline
PublishedJun 26
Latest updateJul 28

Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In version 2.32.0 of the web application, all users have a scope assigned, and they only have access to the files within that scope. The Command Execution feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server. Until th

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 1.3 | Impact: 6.0

Affected Packages4 packages

CVEListV5filebrowser/filebrowser2.35.0

🔴Vulnerability Details

4
OSV
File Browser: Command Execution not Limited to Scope in github.com/filebrowser/filebrowser2025-07-28
GHSA
File Browser: Command Execution not Limited to Scope2025-06-30
OSV
File Browser: Command Execution not Limited to Scope2025-06-30
CVEList
File Browser: Command Execution not Limited to Scope2025-06-26
CVE-2025-52904 — Command Injection in Filebrowser | cvebase