cbcvebase.
CVE-2026-23849
published 2026-01-19

CVE-2026-23849: File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to…

PriorityP336medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.42%
33.4th percentile
File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
filebrowserfilebrowser< 2.55.02.55.0
github.comfilebrowser_filebrowser0 – 1.11.0
github.comfilebrowser_filebrowser_v2>= 0 < 2.55.02.55.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.