CVE-2026-28492— File Browser 信息泄露漏洞

File Browser: Path Traversal in Public Share Links Exposes Files Outside Shared Directory

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. This issue has been patched in version 2.61.0.

N/A

信息暴露

File Browser 信息泄露漏洞

File Browser是File Browser开源的一个文件管理界面，在指定的目录，它可以用来上传，删除，预览和编辑文件。 File Browser 2.61.0之前版本存在信息泄露漏洞，该漏洞源于创建目录的公共共享链接时，http/public.go中的withHashFile中间件使用filepath.Dir(link.Path)计算BasePathFs根目录，可能导致拥有共享链接的任何人都能浏览和下载所有同级目录中的文件。

N/A

N/A