Github.Com Filebrowser Filebrowser V2 vulnerabilities
37 known vulnerabilities affecting github.com/filebrowser_filebrowser_v2.
Total CVEs
37
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH18MEDIUM13LOW1UNKNOWN2
Vulnerabilities
Page 1 of 2
CVE-2021-46398P2HIGHPoC≥ 0, < 2.18.02022-02-05
CVE-2021-46398 [HIGH] CWE-352 Cross-Site Request Forgery in Filebrowser
Cross-Site Request Forgery in Filebrowser
A Cross-Site Request Forgery (CSRF) vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim.
ghsaosv
CVE-2026-34528P2HIGH≥ 0, < 2.62.22026-03-31
CVE-2026-34528 [HIGH] CWE-269 File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
## Summary
The `signupHandler` in File Browser applies default user permissions via `d.settings.Defaults.Apply(user)`, then strips only `Admin` (commit `a63573b`). The `Execute` permission and `Commands` list from the default user template are **not** stripped. When an administ
ghsaosv
CVE-2026-32760P2CRITICAL≥ 0, < 2.62.02026-03-16
CVE-2026-32760 [CRITICAL] CWE-269 File Browser Signup Grants Admin When Default Permissions Include Admin
File Browser Signup Grants Admin When Default Permissions Include Admin
## Summary
Any unauthenticated visitor can register a full administrator account when self-registration ( signup = true ) is enabled and the default user permissions have perm.admin = true. The signup handler blindly applies all default settings - including Perm.Admin - to the
new user without any server-side guard that
ghsaosv
CVE-2026-32759P2MEDIUM≥ 0, ≤ 2.61.12026-03-16
CVE-2026-32759 [MEDIUM] CWE-190 File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely
File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely
## Summary
The TUS resumable upload handler parses the `Upload-Length` header as a signed 64-bit integer without validating that the value is non-negative. When a negative value is supplied (e.g. `-1`), the first PATCH request immediately satisfies the completion condition (`newOffset >= uploadLength` → `0 >= -1`)
ghsaosv
CVE-2026-54090P3HIGHCVSS 8.0≥ 0, < 2.33.82026-06-12
CVE-2026-54090 [HIGH] CWE-77 File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection
File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection
> [!NOTE]
> **This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations**. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing
ghsa
CVE-2026-25890P3HIGH≥ 0, < 2.57.12026-02-10
CVE-2026-25890 [HIGH] CWE-706 File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL
File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL
### Summary
An authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By adding multiple slashes (e.g., //private/) to the path, the authorization check fails to match the rule, while the underlying filesystem resolves the path correctly, gran
ghsaosv
CVE-2026-35607P3HIGH≥ 0, < 2.63.12026-04-08
CVE-2026-35607 [HIGH] CWE-269 File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands
File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands
## Summary
The fix in commit `b6a4fb1` ("self-registered users don't get execute perms") stripped `Execute` permission and `Commands` from users created via the signup handler. The same fix was not applied to the proxy auth handler. Users auto-created on first successful proxy-auth login are
ghsaosv
CVE-2026-35585P3HIGH≥ 2.0.0-rc.1, ≤ 2.63.12026-04-08
CVE-2026-35585 [HIGH] CWE-78 File Browser has a Command Injection via Hook Runner
File Browser has a Command Injection via Hook Runner
> [!NOTE]
> **This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations**. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new advisory to make it clear that it also applies to Hook Runne
ghsaosv
CVE-2025-64523P3HIGH≥ 0, < 2.45.12025-11-13
CVE-2025-64523 [HIGH] CWE-285 File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share Deletion Function
File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share Deletion Function
### Summary
It has been found an Insecure Direct Object Reference (IDOR) vulnerability in the FileBrowser application's share deletion functionality. This vulnerability allows any authenticated user with share permissions to delete other users' shared links without authoriza
ghsaosv
CVE-2025-22871P3CRITICALCVSS 9.1≥ 0, < 2.45.22025-11-13
CVE-2025-22871 [CRITICAL] CWE-1395 File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency
File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency
The standard library `net/http` package dependency used by File Browser improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. I can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of
ghsaosv
CVE-2025-53826P3HIGH≥ 0, ≤ 2.39.02025-07-16
CVE-2025-53826 [HIGH] CWE-305 File Browser’s insecure JWT handling can lead to session replay attacks after logout
File Browser’s insecure JWT handling can lead to session replay attacks after logout
### Summary
File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. Please refer to the CWE's listed in this report for further reference and system standards. In summary, the main issue is:
- Tokens remain valid after logout (session repl
ghsaosv
CVE-2026-29188P3CRITICAL≥ 0, < 2.61.12026-03-04
CVE-2026-29188 [CRITICAL] CWE-284 File Browser's TUS Delete Endpoint Bypasses Delete Permission Check
File Browser's TUS Delete Endpoint Bypasses Delete Permission Check
### Summary
A broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file
ghsaosv
CVE-2026-54096P3HIGHCVSS 8.4≥ 0, < 2.63.72026-06-12
CVE-2026-54096 [HIGH] CWE-367 File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path
File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path
### Summary
This is similar vulnrability of **`CVE-2026-0035`**, which was fixed in Android `MediaProvider` with **high** severity. In the original Java issue, `MediaStore.createWriteRequest()` accepted attacker-controlled URIs and created a future grant even when the refe
ghsa
CVE-2026-35604P3HIGH≥ 0, < 2.63.12026-04-08
CVE-2026-35604 [HIGH] CWE-863 File Browser share links remain accessible after Share/Download permissions are revoked
File Browser share links remain accessible after Share/Download permissions are revoked
When an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler does not re-check the share owner's current permissions. Verified with a running PoC against v2.62.2 (co
ghsaosv
CVE-2026-54091P3HIGH≥ 0, < 2.63.62026-06-12
CVE-2026-54091 [HIGH] CWE-863 File Browser has incorrect access control for public directory shares via rule path rebasing
File Browser has incorrect access control for public directory shares via rule path rebasing
### Summary
File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's sco
ghsa
CVE-2025-52903P3HIGH≥ 0, < 2.33.102025-06-27
CVE-2025-52903 [HIGH] CWE-183 filebrowser Allows Shell Commands to Spawn Other Commands
filebrowser Allows Shell Commands to Spawn Other Commands
## Summary ##
The *Command Execution* feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void.
## Impact ##
The concrete impact depends on the commands being granted to the attacker, but
ghsaosv
CVE-2025-52904P3HIGH≥ 0, ≤ 2.35.02025-06-30
CVE-2025-52904 [HIGH] CWE-77 File Browser: Command Execution not Limited to Scope
File Browser: Command Execution not Limited to Scope
## Summary ##
In the web application, all users have a *scope* assigned, and they only have access to the files within that *scope*.
The *Command Execution* feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server.
## Impact ##
S
ghsaosv
CVE-2025-52997P3MEDIUM≥ 0, < 2.34.12025-06-30
CVE-2025-52997 [MEDIUM] CWE-1392 File Browser vulnerable to insecure password handling
File Browser vulnerable to insecure password handling
## Summary ##
All user accounts authenticate towards a *File Browser* instance with a password. A missing password policy and brute-force protection makes it impossible for administrators to properly secure the authentication process.
## Impact ##
Attackers can mount a brute-force attack against the passwords of all accounts of an instance. Since the ap
ghsaosv
CVE-2026-54094P3MEDIUM≥ 0, < 2.63.142026-06-12
CVE-2026-54094 [MEDIUM] CWE-22 File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope
File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope
## Summary
File Browser enforces per-user scope with `afero.NewBasePathFs(afero.NewOsFs(), scope)`, set up in `users/users.go`. This blocks lexical `../` traversal, but it does not stop the HTTP file handlers from following symbolic link
ghsa
CVE-2026-35605P3MEDIUM≥ 0, < 2.63.12026-04-08
CVE-2026-35605 [MEDIUM] CWE-22 File Browser has an access rule bypass via HasPrefix without trailing separator in path matching
File Browser has an access rule bypass via HasPrefix without trailing separator in path matching
Hi,
The `Matches()` function in `rules/rules.go` uses `strings.HasPrefix()` without a trailing directory separator when matching paths against access rules. A rule for `/uploads` also matches `/uploads_backup/`, granting or denying access to unintended directories. Verifie
ghsaosv
1 / 2Next →