cbcvebase.

Github.Com Filebrowser Filebrowser V2 vulnerabilities

37 known vulnerabilities affecting github.com/filebrowser_filebrowser_v2.

Total CVEs
37
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH18MEDIUM13LOW1UNKNOWN2

Vulnerabilities

Page 2 of 2
CVE-2026-54097P3HIGH≥ 0, < 2.63.62026-06-12
CVE-2026-54097 [HIGH] CWE-639 File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix ### Summary A low-privileged authenticated user of filebrowser (with `create` + `delete` permissions in their own isolated scope) can silently destroy share-link records belonging to any other user — including the administrator — by performing a legit
ghsa
CVE-2026-35606P3MEDIUM≥ 0, < 2.63.12026-04-08
CVE-2026-35606 [MEDIUM] CWE-862 File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check ## Summary The `resourceGetHandler` in `http/resource.go` returns full text file content without checking the `Perm.Download` permission flag. All three other content-serving endpoints (`/api/raw`, `/api/preview`, `/api/subtitle`) correctly verify this permission befo
ghsaosv
CVE-2026-34529P3MEDIUMCVSS 4.8≥ 0, < 2.62.22026-03-31
CVE-2026-34529 [MEDIUM] CWE-79 File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file ### Summary The EPUB preview function in File Browser is vulnerable to Stored Cross-site Scripting (XSS). JavaScript embedded in a crafted EPUB file executes in the victim's browser when they preview the file. ### Details `frontend/src/views/files/Preview.vue` passes `allowScriptedContent: true` to the `
ghsaosv
CVE-2026-32761P3UNKNOWN≥ 0, < 2.62.02026-04-07
CVE-2026-32761 File Browser has an Authorization Policy Bypass in Public Share Download Flow in github.com/filebrowser/filebrowser File Browser has an Authorization Policy Bypass in Public Share Download Flow in github.com/filebrowser/filebrowser File Browser has an Authorization Policy Bypass in Public Share Download Flow in github.com/filebrowser/filebrowser
osv
CVE-2026-28492P3HIGH≥ 0, < 2.61.02026-03-02
CVE-2026-28492 [HIGH] CWE-200 FileBrowser has Path Traversal in Public Share Links that Exposes Files Outside Shared Directory FileBrowser has Path Traversal in Public Share Links that Exposes Files Outside Shared Directory ### Summary When a user creates a public share link for a **directory**, the `withHashFile` middleware in `http/public.go` (line 59) uses `filepath.Dir(link.Path)` to compute the `BasePathFs` root. This sets the filesystem root to the **parent directory** instead of the shar
ghsaosv
CVE-2026-32758P3MEDIUM≥ 0, < 2.62.02026-03-16
CVE-2026-32758 [MEDIUM] CWE-22 File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter ## Description The `resourcePatchHandler` in `http/resource.go` validates the destination path against configured access rules before the path is cleaned/normalized. The rules engine (`rules/rules.go`) uses literal string prefix matching (`strings.HasPrefix`) or regex matching
ghsaosv
CVE-2025-52995P3HIGH≥ 0, < 2.33.102025-06-30
CVE-2025-52995 [HIGH] CWE-77 File Browser vulnerable to command execution allowlist bypass File Browser vulnerable to command execution allowlist bypass ## Summary ## The *Command Execution* feature of Filebrowser only allows the execution of shell command which have been predefined on a user-specific allowlist. The implementation of this allowlist is erroneous, allowing a user to execute additional commands not permitted. ## Impact ## A user can execute more shell commands than they are aut
ghsaosv
CVE-2025-52901P3MEDIUM≥ 0, < 2.33.92025-06-30
CVE-2025-52901 [MEDIUM] CWE-598 File Browser allows sensitive data to be transferred in URL File Browser allows sensitive data to be transferred in URL ## Summary URLs that are accessed by a user are commonly logged in many locations, both server- and client-side. It is thus good practice to never transmit any secret information as part of a URL. The *Filebrowser* violates this practice, since access tokens are used as GET parameters. ## Impact The *JSON Web Token (JWT)* which is used as a s
ghsaosv
CVE-2026-54092P3HIGH≥ 0, < 2.63.62026-06-12
CVE-2026-54092 [HIGH] CWE-1284 File Browser has a DoS Vulnerability via Public Login API File Browser has a DoS Vulnerability via Public Login API ### Summary Unchecked passwords maximums allow for an arbitrarily large password to be passed into the login API. This spikes CPU and memory, and after testing, crashes, heavily lags any container created, and has even made my docker daemon start to send errors with status code 500 even after the container was destroyed. ### Details When sending JSO
ghsa
CVE-2026-23849P3MEDIUM≥ 0, < 2.55.02026-01-21
CVE-2026-23849 [MEDIUM] CWE-203 File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login ### Summary The JSONAuth.Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. ### Details The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username i
ghsaosv
CVE-2025-53893P3UNKNOWN≥ 2.0.0-rc.12025-07-28
CVE-2025-53893 File Browser's Uncontrolled Memory Consumption vulnerability can enable DoS attack due to oversized file processing in github.com/filebrowser/filebrowser File Browser's Uncontrolled Memory Consumption vulnerability can enable DoS attack due to oversized file processing in github.com/filebrowser/filebrowser File Browser's Uncontrolled Memory Consumption vulnerability can enable DoS attack due to oversized file processing in github.com/filebrowser/filebrowser
osv
CVE-2026-25889P3MEDIUM≥ 0, < 2.57.12026-02-10
CVE-2026-25889 [MEDIUM] CWE-178 File Browser has an Authentication Bypass in User Password Update File Browser has an Authentication Bypass in User Password Update # Security Advisory: Authentication Bypass in User Password Update ## Summary A case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) **without providing the current password**. By using Title Case field name `"Password"` instead of
ghsaosv
CVE-2026-54093P4MEDIUM≥ 0, < 2.63.62026-06-12
CVE-2026-54093 [MEDIUM] CWE-22 File Browser: FilePath traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames File Browser: FilePath traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames ### Summary filebrowser builds the download-as-zip / download-as-tar archive entry names with `filepath.ToSlash`, which on a Linux host is a no-op for backslashes (`\` is only a path separator on Windows). A file whose name contains Windo
ghsa
CVE-2026-34530P4MEDIUM≥ 0, < 2.62.22026-03-31
CVE-2026-34530 [MEDIUM] CWE-79 File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection ### Summary The SPA index page in File Browser is vulnerable to Stored Cross-site Scripting (XSS) via admin-controlled branding fields. An admin who sets `branding.name` to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated use
ghsaosv
CVE-2025-52900P4MEDIUM≥ 0, < 2.33.72025-06-27
CVE-2025-52900 [MEDIUM] CWE-276 filebrowser Sets Insecure File Permissions filebrowser Sets Insecure File Permissions ## Summary ## The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same is true for the database used by File Browser. On standard servers where the *umask* configuration has not been hardened before, this makes all the stated files readable by any operating system account. ## Impact ## The default per
ghsaosv
CVE-2025-52902P4HIGH≥ 0, < 2.33.72025-06-27
CVE-2025-52902 [HIGH] CWE-79 filebrowser allows Stored Cross-Site Scripting through the Markdown preview function filebrowser allows Stored Cross-Site Scripting through the Markdown preview function ## Summary ## The Markdown preview function of File Browser v2.32.0 is vulnerable to *Stored Cross-Site-Scripting (XSS)*. Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser ## Impact ## A user can upload a malicious Markdown file to the applicat
ghsaosv
CVE-2025-52996P4LOW≥ 0, ≤ 2.42.12025-06-30
CVE-2025-52996 [LOW] CWE-305 File Browser's password protection of links is bypassable File Browser's password protection of links is bypassable ## Summary ## Files managed by the *File Browser* can be shared with a link to external persons. While the application allows protecting those links with a password, the implementation is error-prone, making an incidental unprotected sharing of a file possible. ## Impact ## File owners might rest in the assumption that their shared files are only ac
ghsaosv
Github.Com Filebrowser Filebrowser V2 vulnerabilities | cvebase