cbcvebase.
CVE-2026-54096
published 2026-06-25

CVE-2026-54096: File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.7, `POST…

PriorityP349high8.4CVSS 3.1
AVLACLPRNUINSUCHIHAH
EPSS
0.18%
7.2th percentile
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.7, `POST /api/share/` accepts an authenticated request for an arbitrary path and stores a public share record without checking whether the target file currently exists. Later, when a file is created at that same path, the previously created public share immediately becomes valid and exposes the new file through `GET /api/public/dl/`. This vulnerability is fixed in 2.63.7.

Affected

3 ranges
VendorProductVersion rangeFixed in
filebrowserfilebrowser< 2.63.72.63.7
github.comfilebrowser_filebrowser0 – 1.11.0
github.comfilebrowser_filebrowser_v2>= 0 < 2.63.72.63.7

CVSS provenance

nvdv3.18.4HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa8.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.