CVE-2026-62685
HIGH
8.1
CVSS 3.1
Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser builds new user scopes from usernames passed through cleanUsername() when Signup=true and CreateUserDir=true, but the many-to-one normalization can collapse usernames such as team/one, team one, and team-one to the same home directory without checking whether the resulting scope is already taken, allowing a second registrant to gain full read and write access to another user's files. This issue is fixed in version 2.63.17.
Metadata
Severity & Metrics
8.1
HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| filebrowser | filebrowser | — | < 2.63.17 |
Weakness (CWE)
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 8.1 | HIGH | 3.1 | cna | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (3)
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7rc3-g7h6-22m7 https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7rc3-g7h6-22m7
- https://github.com/filebrowser/filebrowser/commit/883a36f02fcb69566a8628cb47f18fdc73348387 https://github.com/filebrowser/filebrowser/commit/883a36f02fcb69566a8628cb47f18fdc73348387
- https://github.com/filebrowser/filebrowser/releases/tag/v2.63.17 https://github.com/filebrowser/filebrowser/releases/tag/v2.63.17