CVE-2026-54094
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk37th percentile — higher than 37% of all known CVEs
Summary
File Browser prior to version 2.63.14 does not prevent HTTP file handlers from following symbolic links, allowing users to cross their intended scope boundaries.
Risk Assessment
Allowing users to access files outside their scope may lead to unauthorized access to sensitive data.
Recommendation
It is recommended to upgrade to version 2.63.14 or later to mitigate this vulnerability.
Original NVD description (English source)
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.14, it does not stop the HTTP file handlers from following symbolic links before they open, serve, write, share, or list a file. As a result, a scoped user — and in some cases an unauthenticated public-share recipient — can cross the intended scope boundary by following a symlink whose path is lexically inside their scope but whose target is outside it. This vulnerability is fixed in 2.63.14.

