CVE-2026-35607
HIGH EPSS 30.2%
Published Apr 7, 20262mo ago · Modified Jun 17, 20261w ago
8.8 CVSS 3.1
Published Apr 7, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago
Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 ("self-registered users don't get execute perms") stripped Execute permission and Commands from users created via the signup handler. The same fix was not applied to the proxy auth handler. Users auto-created on first successful proxy-auth login are granted execution capabilities from global defaults, even though the signup path was explicitly changed to prevent execution rights from being inherited by automatically provisioned accounts. This vulnerability is fixed in 2.63.1.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
30.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-269 Improper Privilege Management Authorization
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| filebrowser | filebrowser | * | ≤2.63.0 |
References 2
- github.com https://github.com/filebrowser/filebrowser/pull/5890
- github.com https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7526-j432-6ppp
Remediation
- github.com https://github.com/filebrowser/filebrowser/pull/5890