Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%
Buy Us a Coffee

filebrowser — Vulnerabilities & Security Advisories 38

Browse all 38 CVE security advisories affecting filebrowser. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Filebrowser is an open-source web application designed to manage files and folders within a web interface, primarily serving as a lightweight alternative to traditional FTP servers for self-hosted environments. Its architecture, built on Go, facilitates easy deployment but has historically exposed users to significant security risks. Analysis of its twenty-eight recorded Common Vulnerabilities and Exposures reveals a pattern of critical flaws, predominantly involving remote code execution and cross-site scripting. These vulnerabilities often stem from insufficient input validation and improper access controls, allowing attackers to escalate privileges or execute arbitrary commands on the host system. While the project maintains an active development cycle, past incidents highlight the dangers of complex file manipulation logic. Users are advised to implement strict network segmentation and regular patching to mitigate the inherent risks associated with exposing file system operations through a web interface.

Top products by filebrowser: filebrowser
CVE IDTitleCVSSSeverityPublished
CVE-2026-54090 File Browser: Command Allowlist Bypass via Shell Metacharacter Injection — filebrowserCWE-77--2026-06-25
CVE-2026-54088 File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE) — filebrowserCWE-78--2026-06-25
CVE-2026-54089 File Browser: Authentication Bypass via Proxy Auth Header Forgery — filebrowserCWE-287 9.1 Critical2026-06-25
CVE-2026-54091 File Browser: Incorrect access control in public directory shares via rule path rebasing — filebrowserCWE-863 7.5 High2026-06-25
CVE-2026-54092 File Browser: DoS Vulnerability on Public Login API — filebrowserCWE-1284 6.5 Medium2026-06-25
CVE-2026-54097 File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix — filebrowserCWE-639--2026-06-25
CVE-2026-54093 File Browser: Path traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames — filebrowserCWE-22--2026-06-25
CVE-2026-54094 File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope — filebrowserCWE-22 7.5 High2026-06-25
CVE-2026-54096 File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path — filebrowserCWE-863 8.4 High2026-06-25
CVE-2026-55667 File Browser: Out-of-scope file deletion by a Create-only scoped user via symlink-following RemoveAll in upload failure-cleanup — filebrowserCWE-22 8.2 High2026-06-25
CVE-2026-35607 File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands — filebrowserCWE-269 8.1 High2026-04-07
CVE-2026-35606 File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check — filebrowserCWE-862 6.5AIMediumAI2026-04-07
CVE-2026-35605 File Browser has an access rule bypass via HasPrefix without trailing separator in path matching — filebrowserCWE-22 7.3AIHighAI2026-04-07
CVE-2026-35604 File Browser share links remain accessible after Share/Download permissions are revoked — filebrowserCWE-863 4.3AIMediumAI2026-04-07
CVE-2026-35585 File Browser has a Command Injection via Hook Runner — filebrowserCWE-78 8.8AIHighAI2026-04-07
CVE-2026-34530 File Browser is vulnerable to Stored Cross-Site Scripting via text/template branding injection — filebrowserCWE-79 6.9 Medium2026-04-01
CVE-2026-34528 File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution — filebrowserCWE-269 8.1 High2026-04-01
CVE-2026-34529 File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file — filebrowserCWE-79 7.6 High2026-04-01
CVE-2026-32761 File Browser has an Authorization Policy Bypass in its Public Share Download Flow — filebrowserCWE-284 6.5 Medium2026-03-19
CVE-2026-32760 File Browser Self Registration Grants Any User Admin Access When Default Permissions Include Admin — filebrowserCWE-269 9.8 -2026-03-19
CVE-2026-32759 File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely — filebrowserCWE-190 8.1 -2026-03-19
CVE-2026-32758 File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter — filebrowserCWE-863 6.5 Medium2026-03-19
CVE-2026-28492 File Browser: Path Traversal in Public Share Links Exposes Files Outside Shared Directory — filebrowserCWE-200 8.1 -2026-03-05
CVE-2026-29188 File Browser: TUS Delete Endpoint Bypasses Delete Permission Check — filebrowserCWE-732 9.1 Critical2026-03-05
CVE-2026-25890 File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL — filebrowserCWE-706 8.1 High2026-02-09
CVE-2026-25889 File Browser has an Authentication Bypass in User Password Update — filebrowserCWE-178 5.4 Medium2026-02-09
CVE-2026-23849 File Browser vulnerable to Username Enumeration via Timing Attack in /api/login — filebrowserCWE-208 5.3 Medium2026-01-19
CVE-2025-64523 FileBrowser has Insecure Direct Object Reference (IDOR) in Share Deletion Function — filebrowserCWE-285 7.1 -2025-11-12
CVE-2025-53826 FileBrowser Has Insecure JWT Handling Which Allows Session Replay Attacks after Logout — filebrowserCWE-305 9.8AICriticalAI2025-07-15
CVE-2025-53893 File Browser Vulnerable to Uncontrolled Memory Consumption Due to Oversized File Processing — filebrowserCWE-400 6.5AIMediumAI2025-07-15

This page lists every published CVE security advisory associated with filebrowser. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.