CVE-2026-35585OS Command Injection in Filebrowser Filebrowser V2

CWE-78OS Command InjectionCWE-88Argument Injection5 documents5 sources
Severity
7.5HIGHNVD
EPSS
1.1%
top 22.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Filebrowser Filebrowser V2Filebrowser
Timeline
PublishedApr 7
Latest updateApr 8

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 through 2.63.1, the hook system in File Browser — which executes administrator-defined shell commands on file events such as upload, rename, and delete — is vulnerable to OS command injection. Variable substitution for values like $FILE and $USERNAME is performed via os.Expand without sanitization. An attacker with file write permission can craft a m

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

Gogithub.com/filebrowser_filebrowser_v22.0.0-rc.12.63.1
CVEListV5filebrowser/filebrowser>= 2.0.0-rc.1, <= 2.63.1

🔴Vulnerability Details

3
OSV
File Browser has a Command Injection via Hook Runner2026-04-08
GHSA
File Browser has a Command Injection via Hook Runner2026-04-08
CVEList
File Browser has a Command Injection via Hook Runner2026-04-07

🕵️Threat Intelligence

1
Wiz
CVE-2026-35585 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-35585 — OS Command Injection | cvebase