๐Ÿ” CVE Alert

CVE-2026-61874

LOW 3.1

filebrowser before 2.63.17 Stale Public Share via Trailing-Slash Delete

CVSS Score
3.1
EPSS Score
0.2%
EPSS Percentile
10th

filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path, then recreate the same directory to expose new contents through the dormant public share URL.

CWE CWE-863
Vendor filebrowser
Product filebrowser
Published Jul 12, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for filebrowser filebrowser

Be the first to know when new low vulnerabilities affecting filebrowser filebrowser are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Affected Versions

filebrowser / filebrowser
0 < 2.63.17

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-pp88-jhwj-5qh5 github.com: https://github.com/filebrowser/filebrowser/commit/be23ab3a15bf957928ecfed88de5ab67850c1b9c vulncheck.com: https://www.vulncheck.com/advisories/filebrowser-before-stale-public-share-via-trailing-slash-delete

Credits

๐Ÿ” DavidCarliez hacdias