CVE-2026-32758Path Traversal in Filebrowser

CWE-22Path TraversalCWE-863Incorrect Authorization6 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 97.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
FilebrowserGithub.com Filebrowser Filebrowser V2
Timeline
PublishedMar 20
Latest updateMar 26

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler (http/resource.go). The destination path in resourcePatchHandler is validated against access rules before being cleaned/normalized, while the actual file operation calls path.Clean() afterward—resolving .. sequences into a different effective path. This allows an authent

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5filebrowser/filebrowser< 2.62.0

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter in github.com/filebrowser/filebrowser2026-03-26
CVEList
File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter2026-03-19
GHSA
File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter2026-03-16
OSV
File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter2026-03-16

🕵️Threat Intelligence

1
Wiz
CVE-2026-32758 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-32758 — Path Traversal in Filebrowser | cvebase