๐Ÿ” CVE Alert

CVE-2026-55668

MEDIUM 6.3

File Browser: ScopedFs follows a dangling symlink on write, letting a scoped user create files outside their scope

CVSS Score
6.3
EPSS Score
0.0%
EPSS Percentile
0th

File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create attacker-controlled files outside the user's scope. This issue is fixed in version 2.63.16.

CWE CWE-22 CWE-59
Vendor filebrowser
Product filebrowser
Published Jul 8, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for filebrowser filebrowser

Be the first to know when new medium vulnerabilities affecting filebrowser filebrowser are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Affected Versions

filebrowser / filebrowser
< 2.63.16

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-8wc8-hf36-mjh9 github.com: https://github.com/filebrowser/filebrowser/commit/64511ce45e3be379e965f7f4fb0929a068d5bb81 github.com: https://github.com/filebrowser/filebrowser/releases/tag/v2.63.16