CVE-2025-52995 — Command Injection in Filebrowser

CWE-77 — Command Injection5 documents4 sources

Severity

6.6MEDIUMNVD

CNA8.0

EPSS

0.2%

top 60.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Filebrowser Github.com Filebrowser Filebrowser V2 Github.com Filebrowser Filebrowser

Timeline

PublishedJun 30

Latest updateJul 28

Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.10, the implementation of the allowlist is erroneous, allowing a user to execute more shell commands than they are authorized for. The concrete impact of this vulnerability depends on the commands configured, and the binaries installed on the server or in the container image. Due to the missing separation of scopes on the OS-leve…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.7 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5filebrowser/filebrowser< 2.33.10

▶Gogithub.com/filebrowser_filebrowser_v2< 2.33.10

▶NVDfilebrowser/filebrowser2.33.8

▶Gogithub.com/filebrowser_filebrowser1.11.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

File Browser vulnerable to command execution allowlist bypass in github.com/filebrowser/filebrowser↗2025-07-28

▶

OSV

File Browser vulnerable to command execution allowlist bypass↗2025-06-30

▶

GHSA

File Browser vulnerable to command execution allowlist bypass↗2025-06-30

▶

CVEList

File Browser vulnerable to command execution allowlist bypass↗2025-06-30

▶