The vulnerability stems from the Matches() function in File Browser’s access rule logic, which uses a simple prefix check without a trailing separator. This flaw allows an attacker to craft a path that starts with a permitted directory prefix yet points to an adjacent directory, thereby bypassing intended restrictions. In practice, a rule granting or denying access to "/uploads" may inadvertently apply to "/uploads_backup" or other similarly prefixed directories, leading to unauthorized read, write, or other file operations. The weakness is a classic path traversal scenario. Because the affected functionality exposes file management operations, a successful exploit could compromise confidentiality, integrity, and availability of the underlying file system for the compromised domain.

The issue impacts the File Browser application under the vendor "filebrowser". Versions earlier than 2.63.1 are affected. Upgrading to 2.63.1 or later resolves the path matching bug.

With a CVSS score of 6.3, the vulnerability presents moderate severity. Although no EPSS score is available, the lack of a KEV listing suggests it may not yet be widely exploited. An attacker would likely need to send crafted HTTP requests to paths that trigger the flawed prefix check; the attack could be carried out remotely through the web interface. The specific conditions required are typical of web‑based file handling systems and thus are probable in exposed deployments. As no official workaround is cited, mitigation relies on patching the application.