Github.Com Filebrowser Filebrowser vulnerabilities

CVE-2026-23849 [MEDIUM] CWE-203 File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login ### Summary The JSONAuth.Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. ### Details The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username i

CVE-2025-53893 File Browser's Uncontrolled Memory Consumption vulnerability can enable DoS attack due to oversized file processing in github.com/filebrowser/filebrowser File Browser's Uncontrolled Memory Consumption vulnerability can enable DoS attack due to oversized file processing in github.com/filebrowser/filebrowser File Browser's Uncontrolled Memory Consumption vulnerability can enable DoS attack due to oversized file processing in github.com/filebrowser/filebrowser

CVE-2025-53826 [HIGH] CWE-305 File Browser’s insecure JWT handling can lead to session replay attacks after logout File Browser’s insecure JWT handling can lead to session replay attacks after logout ### Summary File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. Please refer to the CWE's listed in this report for further reference and system standards. In summary, the main issue is: - Tokens remain valid after logout (session repl

CVE-2025-52904 [HIGH] CWE-77 File Browser: Command Execution not Limited to Scope File Browser: Command Execution not Limited to Scope ## Summary ## In the web application, all users have a *scope* assigned, and they only have access to the files within that *scope*. The *Command Execution* feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server. ## Impact ## S

CVE-2025-52995 [HIGH] CWE-77 File Browser vulnerable to command execution allowlist bypass File Browser vulnerable to command execution allowlist bypass ## Summary ## The *Command Execution* feature of Filebrowser only allows the execution of shell command which have been predefined on a user-specific allowlist. The implementation of this allowlist is erroneous, allowing a user to execute additional commands not permitted. ## Impact ## A user can execute more shell commands than they are aut

CVE-2025-52997 [MEDIUM] CWE-1392 File Browser vulnerable to insecure password handling File Browser vulnerable to insecure password handling ## Summary ## All user accounts authenticate towards a *File Browser* instance with a password. A missing password policy and brute-force protection makes it impossible for administrators to properly secure the authentication process. ## Impact ## Attackers can mount a brute-force attack against the passwords of all accounts of an instance. Since the ap

CVE-2025-52901 [MEDIUM] CWE-598 File Browser allows sensitive data to be transferred in URL File Browser allows sensitive data to be transferred in URL ## Summary URLs that are accessed by a user are commonly logged in many locations, both server- and client-side. It is thus good practice to never transmit any secret information as part of a URL. The *Filebrowser* violates this practice, since access tokens are used as GET parameters. ## Impact The *JSON Web Token (JWT)* which is used as a s

CVE-2025-52996 [LOW] CWE-305 File Browser's password protection of links is bypassable File Browser's password protection of links is bypassable ## Summary ## Files managed by the *File Browser* can be shared with a link to external persons. While the application allows protecting those links with a password, the implementation is error-prone, making an incidental unprotected sharing of a file possible. ## Impact ## File owners might rest in the assumption that their shared files are only ac

CVE-2025-52903 [HIGH] CWE-183 filebrowser Allows Shell Commands to Spawn Other Commands filebrowser Allows Shell Commands to Spawn Other Commands ## Summary ## The *Command Execution* feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void. ## Impact ## The concrete impact depends on the commands being granted to the attacker, but

CVE-2025-52902 [HIGH] CWE-79 filebrowser allows Stored Cross-Site Scripting through the Markdown preview function filebrowser allows Stored Cross-Site Scripting through the Markdown preview function ## Summary ## The Markdown preview function of File Browser v2.32.0 is vulnerable to *Stored Cross-Site-Scripting (XSS)*. Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser ## Impact ## A user can upload a malicious Markdown file to the applicat

CVE-2025-52900 [MEDIUM] CWE-276 filebrowser Sets Insecure File Permissions filebrowser Sets Insecure File Permissions ## Summary ## The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same is true for the database used by File Browser. On standard servers where the *umask* configuration has not been hardened before, this makes all the stated files readable by any operating system account. ## Impact ## The default per