Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. This issue has been patched in version 2.61.0.
Published: 2026-03-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

File Browser, a web‑based file management interface, contains a path traversal flaw in the handling of public share links. When a user creates a link for a directory, the system incorrectly resolves the base path to the directory’s parent rather than the directory itself, permitting unauthenticated users who possess the link to view and download any sibling files. This oversight is an Information Disclosure vulnerability (CWE‑200) and can expose sensitive data outside the intended shared folder.

Affected Systems

The flaw affects all File Browser installations running any version earlier than 2.61.0, including the 2.60.x releases. Later releases are unaffected.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high severity, while the EPSS value of less than 1 % suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA catalog of known exploited vulnerabilities, and no public exploit has been reported. It can be exploited by any user who obtains a public share link; the attacker does not need any credentials and can traverse into sibling directories to retrieve files.

Generated by OpenCVE AI on April 17, 2026 at 12:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install File Browser version 2.61.0 or later to eliminate the path traversal bug.
  • After upgrading, regenerate or delete any existing public share links to ensure they no longer reference directories that could expose parent files.
  • Review and tighten the configuration of public links, restricting them to the intended directory hierarchy and disabling temporary sharing until the patch is in place if necessary.

Generated by OpenCVE AI on April 17, 2026 at 12:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mr74-928f-rw69 FileBrowser has Path Traversal in Public Share Links that Exposes Files Outside Shared Directory
History

Tue, 10 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Fri, 06 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. This issue has been patched in version 2.61.0.
Title File Browser: Path Traversal in Public Share Links Exposes Files Outside Shared Directory
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T10:45:32.640Z

Reserved: 2026-02-27T20:57:47.707Z

Link: CVE-2026-28492

cve-icon Vulnrichment

Updated: 2026-03-06T10:45:28.482Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T21:16:22.630

Modified: 2026-03-10T19:34:55.903

Link: CVE-2026-28492

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses