CVE-2026-34528

HIGH 8.1

File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution

CVSS Score

8.1

EPSS Score

0.1%

EPSS Percentile

24th

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. The Execute permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server. This issue has been patched in version 2.62.2.

CWE	CWE-269
Vendor	filebrowser
Product	filebrowser
Published	Apr 1, 2026
Last Updated	Apr 2, 2026

Stay Ahead of the Next One

Get instant alerts for filebrowser filebrowser

Be the first to know when new high vulnerabilities affecting filebrowser filebrowser are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

filebrowser / filebrowser

< 2.62.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-x8jc-jvqm-pm3f github.com: https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2