CVE-2025-52996
published 2025-06-30CVE-2025-52996: File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions…
PriorityP422medium4.3CVSS 3.1
AVNACLPRNUIRSUCLINAN
EPSS
0.31%
22.9th percentile
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions 2.32.0 and prior, the implementation of password protected links is error-prone, resulting in potential unprotected sharing of a file through a direct download link. This link can either be shared unknowingly by a user or discovered from various locations such as the browser history or the log of a proxy server used. At time of publication, no known patched versions are available.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filebrowser | filebrowser | <= 2.32.0 | — |
| github.com | filebrowser_filebrowser | 0 – 1.11.0 | — |
| github.com | filebrowser_filebrowser_v2 | 0 – 2.42.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
File Browser's password protection of links is bypassable in github.com/filebrowser/filebrowser
osv·2025-07-28
CVE-2025-52996 File Browser's password protection of links is bypassable in github.com/filebrowser/filebrowser
File Browser's password protection of links is bypassable in github.com/filebrowser/filebrowser
File Browser's password protection of links is bypassable in github.com/filebrowser/filebrowser
GHSA
File Browser's password protection of links is bypassable
ghsa·2025-06-30
CVE-2025-52996 [LOW] CWE-305 File Browser's password protection of links is bypassable
File Browser's password protection of links is bypassable
## Summary ##
Files managed by the *File Browser* can be shared with a link to external persons. While the application allows protecting those links with a password, the implementation is error-prone, making an incidental unprotected sharing of a file possible.
## Impact ##
File owners might rest in the assumption that their shared files are only accessible to persons knowing the defined password, giving them a false sense of security. Meanwhile, attackers gaining access to the unprotected link can use this information alone to download the possibly sensitive file.
## Vulnerability Description ##
When sharing a file, the user is presented with a dialog asking for an optional password to protect the file share. The assumption o
OSV
File Browser's password protection of links is bypassable
osv·2025-06-30
CVE-2025-52996 [LOW] File Browser's password protection of links is bypassable
File Browser's password protection of links is bypassable
## Summary ##
Files managed by the *File Browser* can be shared with a link to external persons. While the application allows protecting those links with a password, the implementation is error-prone, making an incidental unprotected sharing of a file possible.
## Impact ##
File owners might rest in the assumption that their shared files are only accessible to persons knowing the defined password, giving them a false sense of security. Meanwhile, attackers gaining access to the unprotected link can use this information alone to download the possibly sensitive file.
## Vulnerability Description ##
When sharing a file, the user is presented with a dialog asking for an optional password to protect the file share. The assumption o
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-30
Published