Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, filebrowser builds the download-as-zip / download-as-tar archive entry names with filepath.ToSlash, which on a Linux host is a no-op for backslashes (\ is only a path separator on Windows). A file whose name contains Windows-style traversal is accepted by the resource handlers, stored on the Linux filesystem with a literal backslash name, and then emitted verbatim as the archive entry name. Windows extractors interpret \ as a path separator and write the extracted file outside the extraction directory — arbitrary file write on the victim who downloads and extracts the archive. This vulnerability is fixed in 2.63.6.
Published: 2026-06-25
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

File Browser allows administrators to download files as a zip or tar archive. When a file containing a Windows‑style backslash in its name is uploaded, the server stores it literally on the Linux filesystem. During archive creation the original filename is used verbatim, so the resulting archive entry contains a backslash. Extraction tools on Windows interpret the backslash as a path separator, causing the file to be written outside the intended extraction directory. This allows an attacker to place an arbitrary file on a victim’s machine when the victim downloads and extracts the archive.

Affected Systems

File Browser, a file‑management interface. Versions prior to 2.63.6 are vulnerable. The flaw appears in all releases that do not contain the patch implemented in 2.63.6.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting lower immediate risk of widespread exploitation. However, the attack requires that a victim download and extract the malicious archive on a Windows system, which may still enable arbitrary file write on the local machine if the extraction is performed with elevated privileges.

Generated by OpenCVE AI on June 25, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade File Browser to version 2.63.6 or later, which removes the vulnerability.
  • If an immediate upgrade is not possible, disable or restrict the download‑as‑zip and download‑as‑tar features to prevent production of vulnerable archives.
  • Sanitize filenames by removing or rejecting Windows‑style backslashes before accepting uploads, or extract archives in a hardened environment that does not honor backslashes as path separators.

Generated by OpenCVE AI on June 25, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gxjx-7m74-hcq8 File Browser: FilePath traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames
History

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, filebrowser builds the download-as-zip / download-as-tar archive entry names with filepath.ToSlash, which on a Linux host is a no-op for backslashes (\ is only a path separator on Windows). A file whose name contains Windows-style traversal is accepted by the resource handlers, stored on the Linux filesystem with a literal backslash name, and then emitted verbatim as the archive entry name. Windows extractors interpret \ as a path separator and write the extracted file outside the extraction directory — arbitrary file write on the victim who downloads and extracts the archive. This vulnerability is fixed in 2.63.6.
Title File Browser: Path traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T18:24:27.259Z

Reserved: 2026-06-11T18:44:47.761Z

Link: CVE-2026-54093

cve-icon Vulnrichment

Updated: 2026-06-25T18:24:10.332Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T19:30:15Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')