CVE-2026-62685
File Browser: Colliding username normalization gives two users the same home directory
CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser builds new user scopes from usernames passed through cleanUsername() when Signup=true and CreateUserDir=true, but the many-to-one normalization can collapse usernames such as team/one, team one, and team-one to the same home directory without checking whether the resulting scope is already taken, allowing a second registrant to gain full read and write access to another user's files. This issue is fixed in version 2.63.17.
| CWE | CWE-647 CWE-706 |
| Vendor | filebrowser |
| Product | filebrowser |
| Published | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for filebrowser filebrowser
Be the first to know when new high vulnerabilities affecting filebrowser filebrowser are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
filebrowser / filebrowser
< 2.63.17