CVE-2026-34528Improper Privilege Management in Filebrowser

CWE-269Improper Privilege Management5 documents5 sources
Severity
9.8CRITICALNVD
CNA8.1
EPSS
0.2%
top 60.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
FilebrowserGithub.com Filebrowser Filebrowser V2
Timeline
PublishedApr 1

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. The Execute permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

CVEListV5filebrowser/filebrowser< 2.62.2

🔴Vulnerability Details

3
CVEList
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution2026-04-01
GHSA
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution2026-03-31
OSV
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution2026-03-31

🕵️Threat Intelligence

1
Wiz
CVE-2026-34528 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-34528 — Improper Privilege Management | cvebase