Github.Com Filebrowser Filebrowser V2 vulnerabilities
37 known vulnerabilities affecting github.com/filebrowser_filebrowser_v2.
Total CVEs
37
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH18MEDIUM13LOW1UNKNOWN2
Vulnerabilities
Page 2 of 2
CVE-2026-54097P3HIGH≥ 0, < 2.63.62026-06-12
CVE-2026-54097 [HIGH] CWE-639 File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix
File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix
### Summary
A low-privileged authenticated user of filebrowser (with `create` + `delete` permissions in their own isolated scope) can silently destroy share-link records belonging to any other user — including the administrator — by performing a legit
ghsa
CVE-2026-35606P3MEDIUM≥ 0, < 2.63.12026-04-08
CVE-2026-35606 [MEDIUM] CWE-862 File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check
File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check
## Summary
The `resourceGetHandler` in `http/resource.go` returns full text file content without checking the `Perm.Download` permission flag. All three other content-serving endpoints (`/api/raw`, `/api/preview`, `/api/subtitle`) correctly verify this permission befo
ghsaosv
CVE-2026-34529P3MEDIUMCVSS 4.8≥ 0, < 2.62.22026-03-31
CVE-2026-34529 [MEDIUM] CWE-79 File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file
File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file
### Summary
The EPUB preview function in File Browser is vulnerable to Stored Cross-site Scripting (XSS). JavaScript embedded in a crafted EPUB file executes in the victim's browser when they preview the file.
### Details
`frontend/src/views/files/Preview.vue` passes `allowScriptedContent: true` to the `
ghsaosv
CVE-2026-32761P3UNKNOWN≥ 0, < 2.62.02026-04-07
CVE-2026-32761 File Browser has an Authorization Policy Bypass in Public Share Download Flow in github.com/filebrowser/filebrowser
File Browser has an Authorization Policy Bypass in Public Share Download Flow in github.com/filebrowser/filebrowser
File Browser has an Authorization Policy Bypass in Public Share Download Flow in github.com/filebrowser/filebrowser
osv
CVE-2026-28492P3HIGH≥ 0, < 2.61.02026-03-02
CVE-2026-28492 [HIGH] CWE-200 FileBrowser has Path Traversal in Public Share Links that Exposes Files Outside Shared Directory
FileBrowser has Path Traversal in Public Share Links that Exposes Files Outside Shared Directory
### Summary
When a user creates a public share link for a **directory**, the `withHashFile` middleware in `http/public.go` (line 59) uses `filepath.Dir(link.Path)` to compute the `BasePathFs` root. This sets the filesystem root to the **parent directory** instead of the shar
ghsaosv
CVE-2026-32758P3MEDIUM≥ 0, < 2.62.02026-03-16
CVE-2026-32758 [MEDIUM] CWE-22 File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter
File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter
## Description
The `resourcePatchHandler` in `http/resource.go` validates the destination path against configured access rules before the path is cleaned/normalized. The rules engine (`rules/rules.go`) uses literal string prefix matching (`strings.HasPrefix`) or regex matching
ghsaosv
CVE-2025-52995P3HIGH≥ 0, < 2.33.102025-06-30
CVE-2025-52995 [HIGH] CWE-77 File Browser vulnerable to command execution allowlist bypass
File Browser vulnerable to command execution allowlist bypass
## Summary ##
The *Command Execution* feature of Filebrowser only allows the execution of shell command which have been predefined on a user-specific allowlist. The implementation of this allowlist is erroneous, allowing a user to execute additional commands not permitted.
## Impact ##
A user can execute more shell commands than they are aut
ghsaosv
CVE-2025-52901P3MEDIUM≥ 0, < 2.33.92025-06-30
CVE-2025-52901 [MEDIUM] CWE-598 File Browser allows sensitive data to be transferred in URL
File Browser allows sensitive data to be transferred in URL
## Summary
URLs that are accessed by a user are commonly logged in many locations, both server- and client-side. It is thus good practice to never transmit any secret information as part of a URL. The *Filebrowser* violates this practice, since access tokens are used as GET parameters.
## Impact
The *JSON Web Token (JWT)* which is used as a s
ghsaosv
CVE-2026-54092P3HIGH≥ 0, < 2.63.62026-06-12
CVE-2026-54092 [HIGH] CWE-1284 File Browser has a DoS Vulnerability via Public Login API
File Browser has a DoS Vulnerability via Public Login API
### Summary
Unchecked passwords maximums allow for an arbitrarily large password to be passed into the login API. This spikes CPU and memory, and after testing, crashes, heavily lags any container created, and has even made my docker daemon start to send errors with status code 500 even after the container was destroyed.
### Details
When sending JSO
ghsa
CVE-2026-23849P3MEDIUM≥ 0, < 2.55.02026-01-21
CVE-2026-23849 [MEDIUM] CWE-203 File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login
File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login
### Summary
The JSONAuth.Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint.
### Details
The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username i
ghsaosv
CVE-2025-53893P3UNKNOWN≥ 2.0.0-rc.12025-07-28
CVE-2025-53893 File Browser's Uncontrolled Memory Consumption vulnerability can enable DoS attack due to oversized file processing in github.com/filebrowser/filebrowser
File Browser's Uncontrolled Memory Consumption vulnerability can enable DoS attack due to oversized file processing in github.com/filebrowser/filebrowser
File Browser's Uncontrolled Memory Consumption vulnerability can enable DoS attack due to oversized file processing in github.com/filebrowser/filebrowser
osv
CVE-2026-25889P3MEDIUM≥ 0, < 2.57.12026-02-10
CVE-2026-25889 [MEDIUM] CWE-178 File Browser has an Authentication Bypass in User Password Update
File Browser has an Authentication Bypass in User Password Update
# Security Advisory: Authentication Bypass in User Password Update
## Summary
A case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) **without providing the current password**. By using Title Case field name `"Password"` instead of
ghsaosv
CVE-2026-54093P4MEDIUM≥ 0, < 2.63.62026-06-12
CVE-2026-54093 [MEDIUM] CWE-22 File Browser: FilePath traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames
File Browser: FilePath traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames
### Summary
filebrowser builds the download-as-zip / download-as-tar archive entry names with `filepath.ToSlash`, which on a Linux host is a no-op for backslashes (`\` is only a path separator on Windows). A file whose name contains Windo
ghsa
CVE-2026-34530P4MEDIUM≥ 0, < 2.62.22026-03-31
CVE-2026-34530 [MEDIUM] CWE-79 File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection
File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection
### Summary
The SPA index page in File Browser is vulnerable to Stored Cross-site Scripting (XSS) via admin-controlled branding fields. An admin who sets `branding.name` to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated use
ghsaosv
CVE-2025-52900P4MEDIUM≥ 0, < 2.33.72025-06-27
CVE-2025-52900 [MEDIUM] CWE-276 filebrowser Sets Insecure File Permissions
filebrowser Sets Insecure File Permissions
## Summary ##
The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application.
The same is true for the database used by File Browser. On standard servers where the *umask* configuration has not been hardened before, this makes all the stated files readable by any operating system account.
## Impact ##
The default per
ghsaosv
CVE-2025-52902P4HIGH≥ 0, < 2.33.72025-06-27
CVE-2025-52902 [HIGH] CWE-79 filebrowser allows Stored Cross-Site Scripting through the Markdown preview function
filebrowser allows Stored Cross-Site Scripting through the Markdown preview function
## Summary ##
The Markdown preview function of File Browser v2.32.0 is vulnerable to *Stored Cross-Site-Scripting (XSS)*. Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser
## Impact ##
A user can upload a malicious Markdown file to the applicat
ghsaosv
CVE-2025-52996P4LOW≥ 0, ≤ 2.42.12025-06-30
CVE-2025-52996 [LOW] CWE-305 File Browser's password protection of links is bypassable
File Browser's password protection of links is bypassable
## Summary ##
Files managed by the *File Browser* can be shared with a link to external persons. While the application allows protecting those links with a password, the implementation is error-prone, making an incidental unprotected sharing of a file possible.
## Impact ##
File owners might rest in the assumption that their shared files are only ac
ghsaosv
← Previous2 / 2