CVE Catalog

CVE-2026-54096

HighCVSS 8.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

7th percentile — higher than 7% of all known CVEs

Summary

File Browser prior to version 2.63.7 allowed creating public shares for any path without verifying the existence of the file. When a file was created at that same location, the share became immediately active, leading to unauthorized access to files.

Risk Assessment

Organizations may be exposed to unauthorized access to sensitive files, potentially leading to data leaks or privacy violations.

Recommendation

It is recommended to update File Browser to version 2.63.7 or later to mitigate this vulnerability and to audit existing public shares.

Original NVD description (English source)

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.7, `POST /api/share/<path>` accepts an authenticated request for an arbitrary path and stores a public share record without checking whether the target file currently exists. Later, when a file is created at that same path, the previously created public share immediately becomes valid and exposes the new file through `GET /api/public/dl/<hash>`. This vulnerability is fixed in 2.63.7.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS