CVE-2026-61874
filebrowser before 2.63.17 Stale Public Share via Trailing-Slash Delete
CVSS Score
3.1
EPSS Score
0.2%
EPSS Percentile
10th
filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path, then recreate the same directory to expose new contents through the dormant public share URL.
| CWE | CWE-863 |
| Vendor | filebrowser |
| Product | filebrowser |
| Published | Jul 12, 2026 |
| Last Updated | Jul 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for filebrowser filebrowser
Be the first to know when new low vulnerabilities affecting filebrowser filebrowser are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
filebrowser / filebrowser
0 < 2.63.17
References
github.com: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-pp88-jhwj-5qh5 github.com: https://github.com/filebrowser/filebrowser/commit/be23ab3a15bf957928ecfed88de5ab67850c1b9c vulncheck.com: https://www.vulncheck.com/advisories/filebrowser-before-stale-public-share-via-trailing-slash-delete
Credits
๐ DavidCarliez hacdias