Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.14, it does not stop the HTTP file handlers from following symbolic links before they open, serve, write, share, or list a file. As a result, a scoped user — and in some cases an unauthenticated public-share recipient — can cross the intended scope boundary by following a symlink whose path is lexically inside their scope but whose target is outside it. This vulnerability is fixed in 2.63.14.
Published: 2026-06-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

File Browser does not limit symbolic link resolution for its HTTP handlers before version 2.63.14, enabling a user scoped to a specific directory to follow a link whose lexical path appears inside the scope but whose real target lies outside. This flaw permits the scoped user, and even an unauthenticated recipient of a public share link, to read, overwrite, or share any file reachable via the symlink, effectively breaching confidentiality and integrity of data beyond the intended boundary.

Affected Systems

All versions of the File Browser file‑management interface older than 2.63.14 are affected. The vulnerability applies to the default scoped user accounts and any public‑share recipients whose links target files through such symlinks.

Risk and Exploitability

The CVSS score of 7.5 indicates a high‑severity flaw. EPSS is not currently available, so the exact likelihood of exploitation is uncertain, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires sending or manipulating an HTTP request handled by File Browser’s file endpoints; a scoped user can trigger the flaw via normal file operations, while an unauthenticated user can exploit it through a lingering public share link. The attack path is local to the web application, and no additional system privileges are needed beyond normal user access or the public share URL.

Generated by OpenCVE AI on June 25, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade File Browser to version 2.63.14 or later, which blocks symlink following outside the defined scope.
  • If an immediate upgrade is not feasible, disable or remove symbolic links from the directory exposed by File Browser, or reconfigure the application to reject symlink paths during file operations.
  • Block or revoke existing public‑share links that may point to susceptible files, and restrict public share permissions to read‑only until the patch is applied.

Generated by OpenCVE AI on June 25, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-239w-m3h6-ch8v File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope
History

Thu, 25 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.14, it does not stop the HTTP file handlers from following symbolic links before they open, serve, write, share, or list a file. As a result, a scoped user — and in some cases an unauthenticated public-share recipient — can cross the intended scope boundary by following a symlink whose path is lexically inside their scope but whose target is outside it. This vulnerability is fixed in 2.63.14.
Title File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope
Weaknesses CWE-22
CWE-59
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T18:42:35.721Z

Reserved: 2026-06-11T18:44:47.762Z

Link: CVE-2026-54094

cve-icon Vulnrichment

Updated: 2026-06-25T18:41:06.575Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:30:11Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')