Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

filebrowser — Vulnerabilities & Security Advisories 28

Browse all 28 CVE security advisories affecting filebrowser. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Filebrowser is an open-source web application designed to manage files and folders within a web interface, primarily serving as a lightweight alternative to traditional FTP servers for self-hosted environments. Its architecture, built on Go, facilitates easy deployment but has historically exposed users to significant security risks. Analysis of its twenty-eight recorded Common Vulnerabilities and Exposures reveals a pattern of critical flaws, predominantly involving remote code execution and cross-site scripting. These vulnerabilities often stem from insufficient input validation and improper access controls, allowing attackers to escalate privileges or execute arbitrary commands on the host system. While the project maintains an active development cycle, past incidents highlight the dangers of complex file manipulation logic. Users are advised to implement strict network segmentation and regular patching to mitigate the inherent risks associated with exposing file system operations through a web interface.

Top products by filebrowser: filebrowser
CVE IDTitleCVSSSeverityPublished
CVE-2026-35607 File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands — filebrowserCWE-269 8.1 High2026-04-07
CVE-2026-35606 File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check — filebrowserCWE-862 6.5AIMediumAI2026-04-07
CVE-2026-35605 File Browser has an access rule bypass via HasPrefix without trailing separator in path matching — filebrowserCWE-22 7.3AIHighAI2026-04-07
CVE-2026-35604 File Browser share links remain accessible after Share/Download permissions are revoked — filebrowserCWE-863 4.3AIMediumAI2026-04-07
CVE-2026-35585 File Browser has a Command Injection via Hook Runner — filebrowserCWE-78 8.8AIHighAI2026-04-07
CVE-2026-34530 File Browser is vulnerable to Stored Cross-Site Scripting via text/template branding injection — filebrowserCWE-79 6.9 Medium2026-04-01
CVE-2026-34528 File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution — filebrowserCWE-269 8.1 High2026-04-01
CVE-2026-34529 File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file — filebrowserCWE-79 7.6 High2026-04-01
CVE-2026-32761 File Browser has an Authorization Policy Bypass in its Public Share Download Flow — filebrowserCWE-284 6.5 Medium2026-03-19
CVE-2026-32760 File Browser Self Registration Grants Any User Admin Access When Default Permissions Include Admin — filebrowserCWE-269 9.8 -2026-03-19
CVE-2026-32759 File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely — filebrowserCWE-190 8.1 -2026-03-19
CVE-2026-32758 File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter — filebrowserCWE-863 6.5 Medium2026-03-19
CVE-2026-28492 File Browser: Path Traversal in Public Share Links Exposes Files Outside Shared Directory — filebrowserCWE-200 8.1 -2026-03-05
CVE-2026-29188 File Browser: TUS Delete Endpoint Bypasses Delete Permission Check — filebrowserCWE-732 9.1 Critical2026-03-05
CVE-2026-25890 File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL — filebrowserCWE-706 8.1 High2026-02-09
CVE-2026-25889 File Browser has an Authentication Bypass in User Password Update — filebrowserCWE-178 5.4 Medium2026-02-09
CVE-2026-23849 File Browser vulnerable to Username Enumeration via Timing Attack in /api/login — filebrowserCWE-208 5.3 Medium2026-01-19
CVE-2025-64523 FileBrowser has Insecure Direct Object Reference (IDOR) in Share Deletion Function — filebrowserCWE-285 7.1 -2025-11-12
CVE-2025-53826 FileBrowser Has Insecure JWT Handling Which Allows Session Replay Attacks after Logout — filebrowserCWE-305 9.8AICriticalAI2025-07-15
CVE-2025-53893 File Browser Vulnerable to Uncontrolled Memory Consumption Due to Oversized File Processing — filebrowserCWE-400 6.5AIMediumAI2025-07-15
CVE-2025-52997 File Browser Insecurely Handles Passwords — filebrowserCWE-307 5.9 Medium2025-06-30
CVE-2025-52996 File Browser's Password Protection of Links Vulnerable to Bypass — filebrowserCWE-305 3.1 Low2025-06-30
CVE-2025-52995 File Browser vulnerable to command execution allowlist bypass — filebrowserCWE-77 8.1 High2025-06-30
CVE-2025-52901 File Browser allows sensitive data to be transferred in URL — filebrowserCWE-598 4.5 Medium2025-06-30
CVE-2025-52904 File Browser: Command Execution not Limited to Scope — filebrowserCWE-77 8.1 High2025-06-26
CVE-2025-52903 File Browser Allows Execution of Shell Commands That Can Spawn Other Commands — filebrowserCWE-77 8.1 High2025-06-26
CVE-2025-52902 File Browser has Stored Cross-Site Scripting vulnerability — filebrowserCWE-79 7.6 High2025-06-26
CVE-2025-52900 File Browser has Insecure File Permissions — filebrowserCWE-276 5.5 Medium2025-06-26

This page lists every published CVE security advisory associated with filebrowser. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.