VYPR

Vendor CVEs

Filebrowser

All CVEs

39 total · sorted by risk
  • CVE-2026-32759HigMar 20, 2026
    risk 0.53cvss 8.1epss 0.02

    File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions on the 2.x branch prior to 2.33.8, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer…

  • CVE-2025-52904HigJun 26, 2025
    risk 0.52cvss 8.0epss 0.01

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions of the web application on the 2.x branch, all users have a scope assigned, and they only have access to the files within…

  • CVE-2026-35607HigApr 7, 2026
    risk 0.46cvss 8.1epss 0.00

    File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 ("self-registered users don't get execute perms") stripped Execute permission and Commands from…

  • CVE-2026-35604HigApr 7, 2026
    risk 0.46cvss 8.1epss 0.00

    File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, when an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully…

  • CVE-2026-34528HigApr 1, 2026
    risk 0.46cvss 8.1epss 0.01

    File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips…

  • CVE-2025-52903HigJun 26, 2025
    risk 0.45cvss 8.0epss 0.01

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions on the 2.x branch prior to 2.33.10, the Command Execution feature of File Browser only allows the execution of shell…

  • CVE-2026-35606HigApr 7, 2026
    risk 0.42cvss 7.5epss 0.00

    File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag.…

  • CVE-2026-35605HigApr 7, 2026
    risk 0.42cvss 7.5epss 0.00

    File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the Matches() function in rules/rules.go uses strings.HasPrefix() without a trailing directory separator when matching paths…

  • CVE-2026-34529HigApr 1, 2026
    risk 0.42cvss 7.6epss 0.00

    File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the EPUB preview function in File Browser is vulnerable to Stored Cross-Site Scripting (XSS). JavaScript embedded in…

  • CVE-2026-35585HigApr 7, 2026
    risk 0.40cvss 7.2epss 0.02

    File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 until 2.33.8, the hook system in File Browser — which executes administrator-defined shell commands on file events such as…

  • CVE-2026-54090higJun 12, 2026
    risk 0.39cvss epss 0.00

    > [!NOTE] > **This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations**. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities.…

  • CVE-2026-54091higJun 12, 2026
    risk 0.39cvss epss 0.00

    ### Summary File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's…

  • CVE-2026-54092higJun 12, 2026
    risk 0.39cvss epss 0.00

    ### Summary Unchecked passwords maximums allow for an arbitrarily large password to be passed into the login API. This spikes CPU and memory, and after testing, crashes, heavily lags any container created, and has even made my docker daemon start to send errors with status code…

  • CVE-2026-54096higJun 12, 2026
    risk 0.39cvss epss 0.00

    ### Summary This is similar vulnrability of **`CVE-2026-0035`**, which was fixed in Android `MediaProvider` with **high** severity. In the original Java issue, `MediaStore.createWriteRequest()` accepted attacker-controlled URIs and created a future grant even when the referenced…

  • CVE-2026-54097higJun 12, 2026
    risk 0.39cvss epss 0.00

    ### Summary A low-privileged authenticated user of filebrowser (with `create` + `delete` permissions in their own isolated scope) can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file…

  • CVE-2026-34530MedApr 1, 2026
    risk 0.38cvss 6.9epss 0.00

    File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA index page in File Browser is vulnerable to Stored Cross-Site Scripting (XSS) via admin-controlled branding…

  • CVE-2026-54093Jun 12, 2026
    risk 0.00cvss epss 0.00

    ### Summary filebrowser builds the download-as-zip / download-as-tar archive entry names with `filepath.ToSlash`, which on a Linux host is a no-op for backslashes (`\` is only a path separator on Windows). A file whose name contains Windows-style traversal (`..\..\..\evil.txt`)…

  • CVE-2026-54094Jun 12, 2026
    risk 0.00cvss epss 0.00

    ## Summary File Browser enforces per-user scope with `afero.NewBasePathFs(afero.NewOsFs(), scope)`, set up in `users/users.go`. This blocks lexical `../` traversal, but it does not stop the HTTP file handlers from following symbolic links before they open, serve, write, share,…

  • CVE-2026-32761Mar 19, 2026
    risk 0.00cvss epss 0.00

    File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download =…

  • CVE-2026-32760Mar 19, 2026
    risk 0.00cvss epss 0.01

    File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, any unauthenticated visitor can register a full administrator account when self-registration (signup = true) is…

  • CVE-2026-32758Mar 19, 2026
    risk 0.00cvss epss 0.00

    File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler (http/resource.go). The destination path in…

  • CVE-2026-28492Mar 5, 2026
    risk 0.00cvss epss 0.00

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses…

  • CVE-2026-29188Mar 5, 2026
    risk 0.00cvss epss 0.00

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with…

  • CVE-2026-25890Feb 9, 2026
    risk 0.00cvss epss 0.00

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By…

  • CVE-2026-25889Feb 9, 2026
    risk 0.00cvss epss 0.00

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or…

  • CVE-2026-23849Jan 19, 2026
    risk 0.00cvss epss 0.00

    File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid…

  • CVE-2025-64523Nov 12, 2025
    risk 0.00cvss epss 0.00

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Versions prior to 2.45.1 have an Insecure Direct Object Reference (IDOR) vulnerability in the FileBrowser application's share…

  • CVE-2025-53826Jul 15, 2025
    risk 0.00cvss epss 0.01

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs…

  • CVE-2025-53893Jul 15, 2025
    risk 0.00cvss epss 0.00

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.38.0, a Denial of Service (DoS) vulnerability exists in the file processing logic when reading a file on endpoint …

  • CVE-2025-52997Jun 30, 2025
    risk 0.00cvss epss 0.00

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.34.1, a missing password policy and brute-force protection makes the authentication process insecure. Attackers…

  • CVE-2025-52996Jun 30, 2025
    risk 0.00cvss epss 0.00

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions 2.32.0 and prior, the implementation of password protected links is error-prone, resulting in potential unprotected…

  • CVE-2025-52995Jun 30, 2025
    risk 0.00cvss epss 0.01

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.10, the implementation of the allowlist is erroneous, allowing a user to execute more shell commands than they…

  • CVE-2025-52901Jun 30, 2025
    risk 0.00cvss epss 0.00

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.9, access tokens are used as GET parameters. The JSON Web Token (JWT) which is used as a session identifier…

  • CVE-2025-52902Jun 26, 2025
    risk 0.00cvss epss 0.00

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The Markdown preview function of File Browser prior to v2.33.7 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript…

  • CVE-2025-52900Jun 26, 2025
    risk 0.00cvss epss 0.00

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same…

  • CVE-2023-39612Sep 16, 2023
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate privileges to Administrator via user interaction with a crafted HTML file or URL.

  • CVE-2021-46398Feb 4, 2022
    risk 0.00cvss epss 0.07

    A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. An admin can run commands using the…

  • CVE-2021-37794Aug 31, 2021
    risk 0.00cvss epss 0.01

    A stored cross-site scripting (XSS) vulnerability exists in FileBrowser < v2.16.0 that allows an authenticated user authorized to upload a malicious .svg file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger…

  • CVE-2013-2036Jun 24, 2013
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the Filebrowser module 6.x-2.x before 6.x-2.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "lists of files."