The vulnerability arises from the way File Browser normalizes request URLs. When an authenticated user includes multiple leading slashes in the path, the application fails to match the configured 'Disallow' rules while the underlying filesystem still resolves the path. This mismatch allows the user to read or modify files located outside the intended directory, thereby violating the principle of least privilege and potentially exposing sensitive data. The flaw is a path‑based access control bypass, corresponding to CWE‑706 and CWE‑863.

File Browser versions released prior to 2.57.1 are affected. The issue is present in every OS or infrastructure deployment that uses the default configuration, as the path normalization logic is independent of the host environment. Updating to any release equal to or greater than 2.57.1 removes the vulnerability, as the upstream project corrected the evaluation of path prefixes.

The CVSS score of 8.1 indicates high severity, and the EPSS score of less than 1 % suggests a low but non‑zero probability of exploitation in the wild. The vulnerability requires authentication, so an attacker must first obtain valid credentials or access to an authorized session; no elevated privileges are necessary to succeed. The attack vector is a web request to the File Browser API or front‑end, where a double slash can be injected into the requested path. Because the flaw is not automatically exploited and is limited to authenticated users, the threat remains controlled but still significant for environments where users may have access to secure directories.