ГлавнаяУязвимости → CVE-2026-35606
7.5высокая

CVE-2026-35606

Описание

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other content-serving endpoints (/api/raw, /api/preview, /api/subtitle) correctly verify this permission before serving content. A user with download: false can read any text file within their scope through two bypass paths. This vulnerability is fixed in 2.63.1.

Затрагиваемое ПО
Filebrowser Filebrowser
CVSS
Балл7.5 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Источники
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-67cg-cpj7-qgc9https://github.com/filebrowser/filebrowser/security/advisories/GHSA-67cg-cpj7-qgc9