CVE-2026-54097
UNKNOWN
NVD
CVSS Score
0
Severity
UNKNOWN
Published
Jun 25, 2026
Vendor
unknown
Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, a low-privileged authenticated user of filebrowser (with create + delete permissions in their own isolated scope) can silently destroy share-link records belonging to any other user โ including the administrator โ by performing a legitimate DELETE on a file in their own directory whose logical path happens to be a byte-prefix of another user's stored share.Link.Path. The file contents of the victim are not exposed, but the victim's share links are irrevocably wiped. This vulnerability is fixed in 2.63.6.
References
- https://github.com/filebrowser/filebrowser/commit/0231b7ebdfbe77a6c54027d30c4856c3fd81ee4d
- https://github.com/filebrowser/filebrowser/releases/tag/v2.63.6
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-5ww9-jg6q-38r7
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-5ww9-jg6q-38r7