CVE Catalog

CVE-2026-54091

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.47%

37th percentile — higher than 37% of all known CVEs

Summary

File Browser before version 2.63.6 contains a vulnerability due to incorrect path handling in public shares. An attacker who knows the URL of a public directory share can bypass rules blocking access to files and subdirectories located under the shared directory. The issue arises because the system rebases the filesystem root to the shared directory and then evaluates paths relative to it, instead of relative to the owner's original scope.

Risk Assessment

The risk is unauthorized data disclosure – an attacker knowing the public share URL can access files and directories explicitly blocked by the owner via rules. This can lead to leakage of sensitive information without authentication.

Recommendation

Immediately update File Browser to version 2.63.6 or later, which contains the fix for this vulnerability. After updating, review and adjust access rules for shared directories as needed.

Original NVD description (English source)

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's scope. As a result, an attacker who knows a public directory share URL can access files and subdirectories that the owner explicitly blocked with rules, as long as those blocked paths are located underneath the shared directory. In the simplest case this is an unauthenticated information disclosure through `GET /api/public/share/*` and `GET /api/public/dl/*`. This vulnerability is fixed in 2.63.6.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS