Back to overview

CVE-2026-62683

LOW Exploitation: PoC
3.1
CVSS 3.1
Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser can leave a public directory share behind when the shared directory is deleted through a path with a trailing slash because the share cleanup path calls DeleteWithPathPrefix(file.Path, userID) and the Bolt backend performs the database prefix query with the unnormalized path before trimming the slash for boundary checks, so deleting /a/ does not delete the stored /a share and the stale public share exposes future content if the same path is recreated. This issue is fixed in version 2.63.17.

Metadata

CVE ID
CVE-2026-62683
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-14 20:22 UTC
Published
2026-07-15 15:40 UTC
Last updated
2026-07-15 18:02 UTC
Primary CWE
CWE-863
CWE-863: Incorrect Authorization
Vendor / Product
filebrowser / filebrowser
Sources
cve.org  ·  NVD

Severity & Metrics

3.1 LOW CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
filebrowser filebrowser < 2.63.17
Weakness (CWE)
CWESourceDescription
CWE-863 cna CWE-863: Incorrect Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
3.1 LOW 3.1 cna CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
References (3)
Back to overview