CVE-2026-54097
File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, a low-privileged authenticated user of filebrowser (with create + delete permissions in their own isolated scope) can silently destroy share-link records belonging to any other user โ including the administrator โ by performing a legitimate DELETE on a file in their own directory whose logical path happens to be a byte-prefix of another user's stored share.Link.Path. The file contents of the victim are not exposed, but the victim's share links are irrevocably wiped. This vulnerability is fixed in 2.63.6.
| CWE | CWE-639 |
| Vendor | filebrowser |
| Product | filebrowser |
| Published | Jun 25, 2026 |
| Last Updated | Jun 25, 2026 |
Get instant alerts for filebrowser filebrowser
Be the first to know when new unknown vulnerabilities affecting filebrowser filebrowser are published โ delivered to Slack, Telegram or Discord.