CVE-2026-54097
published 2026-06-25CVE-2026-54097: File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, a…
PriorityP347high7.2CVSS 4.0
AVNACLATNPRLUINVCNVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.41%
32.8th percentile
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, a low-privileged authenticated user of filebrowser (with create + delete permissions in their own isolated scope) can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file in their own directory whose logical path happens to be a byte-prefix of another user's stored share.Link.Path. The file contents of the victim are not exposed, but the victim's share links are irrevocably wiped. This vulnerability is fixed in 2.63.6.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filebrowser | filebrowser | < 2.63.6 | 2.63.6 |
| github.com | filebrowser_filebrowser | 0 – 1.11.0 | — |
| github.com | filebrowser_filebrowser_v2 | >= 0 < 2.63.6 | 2.63.6 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
filebrowser File Browser up to 2.63.5 authorization (GHSA-5ww9-jg6q-38r7)
vuldb·2026-06-26·CVSS 7.2
CVE-2026-54097 [HIGH] filebrowser File Browser up to 2.63.5 authorization (GHSA-5ww9-jg6q-38r7)
A vulnerability, which was classified as problematic, has been found in filebrowser File Browser up to 2.63.5. Affected by this vulnerability is an unknown functionality. This manipulation causes authorization bypass.
This vulnerability is handled as CVE-2026-54097. The attack can be initiated remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
GHSA
File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix
ghsa·2026-06-12
CVE-2026-54097 [HIGH] CWE-639 File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix
File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix
### Summary
A low-privileged authenticated user of filebrowser (with `create` + `delete` permissions in their own isolated scope) can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file in their own directory whose logical path happens to be a byte-prefix of another user's stored `share.Link.Path`. The file contents of the victim are not exposed, but the victim's share links are irrevocably wiped.
### Details
`resourceDeleteHandler` in `http/resource.go` cleans up any share records that reference a deleted file by calling:
```go
// http/resource.go
err = d.store.Share.DeleteWithPathPrefix(file
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-25
Published