CVE-2026-62843
File Browser: Archive builder turns backslash filenames into path traversal (zip-slip)
CVSS Score
6.8
EPSS Score
0.0%
EPSS Percentile
0th
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.63.6 to 2.63.16, File Browser's archive builder uses strings.ReplaceAll(nameInArchive, "\", "/"), which turns a POSIX filename such as ..\..\evil.sh into the archive entry ../../evil.sh, allowing a user with upload permission to plant a backslash-named file that escapes the extraction directory when another user downloads and extracts the generated zip or tar archive. This issue is fixed in version 2.63.17.
| CWE | CWE-22 CWE-23 |
| Vendor | filebrowser |
| Product | filebrowser |
| Published | Jul 15, 2026 |
| Last Updated | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for filebrowser filebrowser
Be the first to know when new medium vulnerabilities affecting filebrowser filebrowser are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None
Affected Versions
filebrowser / filebrowser
>= 2.63.6, < 2.63.17