apk package
chainguard/filebrowser
pkg:apk/chainguard/filebrowser
Vulnerabilities (32)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33814 | Hig | 7.5 | < 0 | 0 | May 7, 2026 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. | |
| CVE-2026-32289 | Med | 6.1 | < 2.63.1-r1 | 2.63.1-r1 | Apr 8, 2026 | Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect es | |
| CVE-2026-32288 | Med | 5.5 | < 2.63.1-r1 | 2.63.1-r1 | Apr 8, 2026 | tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. | |
| CVE-2026-32283 | Hig | 7.5 | < 2.63.1-r1 | 2.63.1-r1 | Apr 8, 2026 | If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. | |
| CVE-2026-32282 | Med | 6.4 | < 0 | 0 | Apr 8, 2026 | On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which R | |
| CVE-2026-32281 | Hig | 7.5 | < 2.63.1-r1 | 2.63.1-r1 | Apr 8, 2026 | Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root C | |
| CVE-2026-32280 | Hig | 7.5 | < 2.63.1-r1 | 2.63.1-r1 | Apr 8, 2026 | During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls | |
| CVE-2026-27140 | Hig | 8.8 | < 2.63.1-r1 | 2.63.1-r1 | Apr 8, 2026 | SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass. | |
| CVE-2026-35585 | Hig | 7.2 | < 2.63.2-r0 | 2.63.2-r0 | Apr 7, 2026 | File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 through 2.63.1, the hook system in File Browser — which executes administrator-defined shell commands on file events such as upload, | |
| CVE-2026-33817 | — | < 0 | 0 | Apr 6, 2026 | Rejected reason: CVE confirmed to be a false positive | ||
| CVE-2026-25890 | — | < 2.59.0-r0 | 2.59.0-r0 | Feb 9, 2026 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By addin | ||
| CVE-2026-23849 | — | < 2.56.0-r0 | 2.56.0-r0 | Jan 19, 2026 | File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid use | ||
| CVE-2025-47914 | — | < 2.48.2-r1 | 2.48.2-r1 | Nov 19, 2025 | SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. | ||
| CVE-2025-58181 | — | < 2.48.2-r1 | 2.48.2-r1 | Nov 19, 2025 | SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. | ||
| CVE-2025-11579 | — | < 2.44.0-r1 | 2.44.0-r1 | Oct 10, 2025 | github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash. | ||
| CVE-2025-58058 | Med | 5.3 | < 2.42.5-r1 | 2.42.5-r1 | Aug 28, 2025 | xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the | |
| CVE-2025-53893 | — | < 2.45.0-r0 | 2.45.0-r0 | Jul 15, 2025 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.38.0, a Denial of Service (DoS) vulnerability exists in the file processing logic when reading a file on endpoint `Fil | ||
| CVE-2025-52997 | — | < 2.36.0-r0 | 2.36.0-r0 | Jun 30, 2025 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.34.1, a missing password policy and brute-force protection makes the authentication process insecure. Attackers co | ||
| CVE-2025-52996 | — | < 2.45.0-r0 | 2.45.0-r0 | Jun 30, 2025 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions 2.32.0 and prior, the implementation of password protected links is error-prone, resulting in potential unprotected shari | ||
| CVE-2025-52904 | — | < 2.36.0-r0 | 2.36.0-r0 | Jun 26, 2025 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In version 2.32.0 of the web application, all users have a scope assigned, and they only have access to the files within that scope. |
- affected < 0fixed 0
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
- affected < 2.63.1-r1fixed 2.63.1-r1
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect es
- affected < 2.63.1-r1fixed 2.63.1-r1
tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
- affected < 2.63.1-r1fixed 2.63.1-r1
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
- affected < 0fixed 0
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which R
- affected < 2.63.1-r1fixed 2.63.1-r1
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root C
- affected < 2.63.1-r1fixed 2.63.1-r1
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls
- affected < 2.63.1-r1fixed 2.63.1-r1
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
- affected < 2.63.2-r0fixed 2.63.2-r0
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 through 2.63.1, the hook system in File Browser — which executes administrator-defined shell commands on file events such as upload,
- CVE-2026-33817Apr 6, 2026affected < 0fixed 0
Rejected reason: CVE confirmed to be a false positive
- CVE-2026-25890Feb 9, 2026affected < 2.59.0-r0fixed 2.59.0-r0
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By addin
- CVE-2026-23849Jan 19, 2026affected < 2.56.0-r0fixed 2.56.0-r0
File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid use
- CVE-2025-47914Nov 19, 2025affected < 2.48.2-r1fixed 2.48.2-r1
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
- CVE-2025-58181Nov 19, 2025affected < 2.48.2-r1fixed 2.48.2-r1
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
- CVE-2025-11579Oct 10, 2025affected < 2.44.0-r1fixed 2.44.0-r1
github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.
- affected < 2.42.5-r1fixed 2.42.5-r1
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the
- CVE-2025-53893Jul 15, 2025affected < 2.45.0-r0fixed 2.45.0-r0
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.38.0, a Denial of Service (DoS) vulnerability exists in the file processing logic when reading a file on endpoint `Fil
- CVE-2025-52997Jun 30, 2025affected < 2.36.0-r0fixed 2.36.0-r0
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.34.1, a missing password policy and brute-force protection makes the authentication process insecure. Attackers co
- CVE-2025-52996Jun 30, 2025affected < 2.45.0-r0fixed 2.45.0-r0
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions 2.32.0 and prior, the implementation of password protected links is error-prone, resulting in potential unprotected shari
- CVE-2025-52904Jun 26, 2025affected < 2.36.0-r0fixed 2.36.0-r0
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In version 2.32.0 of the web application, all users have a scope assigned, and they only have access to the files within that scope.
Page 1 of 2