Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, unchecked passwords maximums allow for an arbitrarily large password to be passed into the login API. This spikes CPU and memory, and after testing, crashes, heavily lags any container created, and has even made my docker daemon start to send errors with status code 500 even after the container was destroyed. This vulnerability is fixed in 2.63.6.
Published: 2026-06-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

File Browser is a web‑based file manager that allows users to upload, delete, preview, rename and edit files. The vulnerability resides in its public login API, which accepts an unchecked password field. When an attacker supplies an extraordinarily large password, the server consumes excessive CPU and memory resources, leading to severe latency, crashes and, in containerized environments, even propagating faults to the host daemon. The flaw satisfies CWE‑400 (Uncontrolled Resource Consumption) and CWE‑1284 (Improper Reconstruction of Input).

Affected Systems

The flaw affects installations of File Browser v2.63.5 and earlier, regardless of deployment mode, including Docker containers and bare‑metal hosts. The upstream project recommends upgrading to v2.63.6 or later to receive the input‑validation patch.

Risk and Exploitability

The CVSS score of 6.5 classifies this as a medium‑severity flaw. No EPSS data is available, so the likelihood of exploitation cannot be quantified, and the vulnerability is not yet listed in CISA’s KEV catalog. Attackers can exploit it remotely by issuing oversized password strings to the publicly exposed login endpoint; the payload can be crafted with any network access to the container or host, triggering DoS without needing further privileges.

Generated by OpenCVE AI on June 25, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade File Browser to version 2.63.6 or newer, which enforces maximum password length and contains the fix.
  • If a version upgrade cannot be applied immediately, block or restrict the public login API by firewall rules, VPN or authentication, so only trusted clients can reach it.
  • Enable monitoring of CPU and memory usage and log rates on the login endpoint; set alerts for abnormal spikes that may indicate attempts to trigger the DoS.

Generated by OpenCVE AI on June 25, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w5fm-68j4-fpc4 File Browser has a DoS Vulnerability via Public Login API
History

Fri, 26 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, unchecked passwords maximums allow for an arbitrarily large password to be passed into the login API. This spikes CPU and memory, and after testing, crashes, heavily lags any container created, and has even made my docker daemon start to send errors with status code 500 even after the container was destroyed. This vulnerability is fixed in 2.63.6.
Title File Browser: DoS Vulnerability on Public Login API
Weaknesses CWE-1284
CWE-400
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T02:13:34.437Z

Reserved: 2026-06-11T18:44:47.761Z

Link: CVE-2026-54092

cve-icon Vulnrichment

Updated: 2026-06-26T02:13:30.349Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:30:11Z

Weaknesses
  • CWE-1284

    Improper Validation of Specified Quantity in Input

  • CWE-400

    Uncontrolled Resource Consumption