CVE-2026-54096
published 2026-06-25CVE-2026-54096: File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.7, `POST…
PriorityP349high8.4CVSS 3.1
AVLACLPRNUINSUCHIHAH
EPSS
0.18%
7.2th percentile
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.7, `POST /api/share/` accepts an authenticated request for an arbitrary path and stores a public share record without checking whether the target file currently exists. Later, when a file is created at that same path, the previously created public share immediately becomes valid and exposes the new file through `GET /api/public/dl/`. This vulnerability is fixed in 2.63.7.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filebrowser | filebrowser | < 2.63.7 | 2.63.7 |
| github.com | filebrowser_filebrowser | 0 – 1.11.0 | — |
| github.com | filebrowser_filebrowser_v2 | >= 0 < 2.63.7 | 2.63.7 |
CVSS provenance
nvdv3.18.4HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa8.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
filebrowser File Browser up to 2.63.6 /api/share authorization (GHSA-3q2p-72cj-682c)
vuldb·2026-06-26·CVSS 8.4
CVE-2026-54096 [HIGH] filebrowser File Browser up to 2.63.6 /api/share authorization (GHSA-3q2p-72cj-682c)
A vulnerability classified as problematic was found in filebrowser File Browser up to 2.63.6. Affected is an unknown function of the file /api/share. The manipulation results in incorrect authorization.
This vulnerability is known as CVE-2026-54096. Attacking locally is a requirement. No exploit is available.
Upgrading the affected component is advised.
GHSA
File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path
ghsa·2026-06-12·CVSS 8.4
CVE-2026-54096 [HIGH] CWE-367 File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path
File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path
### Summary
This is similar vulnrability of **`CVE-2026-0035`**, which was fixed in Android `MediaProvider` with **high** severity. In the original Java issue, `MediaStore.createWriteRequest()` accepted attacker-controlled URIs and created a future grant even when the referenced media item did not exist yet. The Android fix added an existence check before creating the request.
`filebrowser/filebrowser` has the analogous issue in Go. `POST /api/share/` accepts an authenticated request for an arbitrary path and stores a public share record without checking whether the target file currently exists. Later, when a file is created at that same path, the previously created public share immediately
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-25
Published