Github.Com Filebrowser Filebrowser V2 vulnerabilities

CVE-2026-35604 [HIGH] CWE-863 File Browser share links remain accessible after Share/Download permissions are revoked File Browser share links remain accessible after Share/Download permissions are revoked When an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler does not re-check the share owner's current permissions. Verified with a running PoC against v2.62.2 (co

CVE-2026-35607 [HIGH] CWE-269 File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands ## Summary The fix in commit `b6a4fb1` ("self-registered users don't get execute perms") stripped `Execute` permission and `Commands` from users created via the signup handler. The same fix was not applied to the proxy auth handler. Users auto-created on first successful proxy-auth login are

CVE-2026-35585 [HIGH] CWE-78 File Browser has a Command Injection via Hook Runner File Browser has a Command Injection via Hook Runner > [!NOTE] > **This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations**. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new advisory to make it clear that it also applies to Hook Runne

CVE-2026-35606 [MEDIUM] CWE-862 File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check ## Summary The `resourceGetHandler` in `http/resource.go` returns full text file content without checking the `Perm.Download` permission flag. All three other content-serving endpoints (`/api/raw`, `/api/preview`, `/api/subtitle`) correctly verify this permission befo

CVE-2026-35605 [MEDIUM] CWE-22 File Browser has an access rule bypass via HasPrefix without trailing separator in path matching File Browser has an access rule bypass via HasPrefix without trailing separator in path matching Hi, The `Matches()` function in `rules/rules.go` uses `strings.HasPrefix()` without a trailing directory separator when matching paths against access rules. A rule for `/uploads` also matches `/uploads_backup/`, granting or denying access to unintended directories. Verifie

CVE-2026-32761 File Browser has an Authorization Policy Bypass in Public Share Download Flow in github.com/filebrowser/filebrowser File Browser has an Authorization Policy Bypass in Public Share Download Flow in github.com/filebrowser/filebrowser File Browser has an Authorization Policy Bypass in Public Share Download Flow in github.com/filebrowser/filebrowser

CVE-2026-34528 [HIGH] CWE-269 File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution ## Summary The `signupHandler` in File Browser applies default user permissions via `d.settings.Defaults.Apply(user)`, then strips only `Admin` (commit `a63573b`). The `Execute` permission and `Commands` list from the default user template are **not** stripped. When an administ

CVE-2026-34529 [MEDIUM] CWE-79 File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file ### Summary The EPUB preview function in File Browser is vulnerable to Stored Cross-site Scripting (XSS). JavaScript embedded in a crafted EPUB file executes in the victim's browser when they preview the file. ### Details `frontend/src/views/files/Preview.vue` passes `allowScriptedContent: true` to the `

CVE-2026-34530 [MEDIUM] CWE-79 File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection ### Summary The SPA index page in File Browser is vulnerable to Stored Cross-site Scripting (XSS) via admin-controlled branding fields. An admin who sets `branding.name` to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated use

CVE-2026-32760 [CRITICAL] CWE-269 File Browser Signup Grants Admin When Default Permissions Include Admin File Browser Signup Grants Admin When Default Permissions Include Admin ## Summary Any unauthenticated visitor can register a full administrator account when self-registration ( signup = true ) is enabled and the default user permissions have perm.admin = true. The signup handler blindly applies all default settings - including Perm.Admin - to the new user without any server-side guard that

CVE-2026-32759 [MEDIUM] CWE-190 File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely ## Summary The TUS resumable upload handler parses the `Upload-Length` header as a signed 64-bit integer without validating that the value is non-negative. When a negative value is supplied (e.g. `-1`), the first PATCH request immediately satisfies the completion condition (`newOffset >= uploadLength` → `0 >= -1`)

CVE-2026-32758 [MEDIUM] CWE-22 File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter ## Description The `resourcePatchHandler` in `http/resource.go` validates the destination path against configured access rules before the path is cleaned/normalized. The rules engine (`rules/rules.go`) uses literal string prefix matching (`strings.HasPrefix`) or regex matching

CVE-2026-29188 [CRITICAL] CWE-284 File Browser's TUS Delete Endpoint Bypasses Delete Permission Check File Browser's TUS Delete Endpoint Bypasses Delete Permission Check ### Summary A broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file

CVE-2026-28492 [HIGH] CWE-200 FileBrowser has Path Traversal in Public Share Links that Exposes Files Outside Shared Directory FileBrowser has Path Traversal in Public Share Links that Exposes Files Outside Shared Directory ### Summary When a user creates a public share link for a **directory**, the `withHashFile` middleware in `http/public.go` (line 59) uses `filepath.Dir(link.Path)` to compute the `BasePathFs` root. This sets the filesystem root to the **parent directory** instead of the shar

CVE-2026-25890 [HIGH] CWE-706 File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL ### Summary An authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By adding multiple slashes (e.g., //private/) to the path, the authorization check fails to match the rule, while the underlying filesystem resolves the path correctly, gran

CVE-2026-25889 [MEDIUM] CWE-178 File Browser has an Authentication Bypass in User Password Update File Browser has an Authentication Bypass in User Password Update # Security Advisory: Authentication Bypass in User Password Update ## Summary A case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) **without providing the current password**. By using Title Case field name `"Password"` instead of

CVE-2026-23849 [MEDIUM] CWE-203 File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login ### Summary The JSONAuth.Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. ### Details The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username i

CVE-2025-22871 [CRITICAL] CWE-1395 File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency The standard library `net/http` package dependency used by File Browser improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. I can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of

CVE-2025-64523 [HIGH] CWE-285 File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share Deletion Function File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share Deletion Function ### Summary It has been found an Insecure Direct Object Reference (IDOR) vulnerability in the FileBrowser application's share deletion functionality. This vulnerability allows any authenticated user with share permissions to delete other users' shared links without authoriza

CVE-2025-53893 File Browser's Uncontrolled Memory Consumption vulnerability can enable DoS attack due to oversized file processing in github.com/filebrowser/filebrowser File Browser's Uncontrolled Memory Consumption vulnerability can enable DoS attack due to oversized file processing in github.com/filebrowser/filebrowser File Browser's Uncontrolled Memory Consumption vulnerability can enable DoS attack due to oversized file processing in github.com/filebrowser/filebrowser