CVE-2026-25889Improper Handling of Case Sensitivity in Filebrowser

CWE-178Improper Handling of Case Sensitivity6 documents5 sources
Severity
5.4MEDIUMNVD
EPSS
0.0%
top 97.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
FilebrowserGithub.com Filebrowser Filebrowser V2
Timeline
PublishedFeb 9
Latest updateFeb 17

Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) without providing the current password. By using Title Case field name "Password" instead of lowercase "password" in the API request, the current_password verification is completel

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

CVEListV5filebrowser/filebrowser< 2.57.1

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
File Browser has an Authentication Bypass in User Password Update in github.com/filebrowser/filebrowser2026-02-17
GHSA
File Browser has an Authentication Bypass in User Password Update2026-02-10
OSV
File Browser has an Authentication Bypass in User Password Update2026-02-10
CVEList
File Browser has an Authentication Bypass in User Password Update2026-02-09

🕵️Threat Intelligence

1
Wiz
CVE-2026-25889 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-25889 — Improper Handling of Case Sensitivity | cvebase