Back to overview

CVE-2026-62685

HIGH
8.1
CVSS 3.1
Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser builds new user scopes from usernames passed through cleanUsername() when Signup=true and CreateUserDir=true, but the many-to-one normalization can collapse usernames such as team/one, team one, and team-one to the same home directory without checking whether the resulting scope is already taken, allowing a second registrant to gain full read and write access to another user's files. This issue is fixed in version 2.63.17.

Metadata

CVE ID
CVE-2026-62685
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-14 20:22 UTC
Published
2026-07-15 15:47 UTC
Last updated
2026-07-15 15:47 UTC
Primary CWE
CWE-647
CWE-647: Use of Non-Canonical URL Paths for Authorization De…
Vendor / Product
filebrowser / filebrowser
Sources
cve.org  ·  NVD

Severity & Metrics

8.1 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
filebrowser filebrowser < 2.63.17
Weakness (CWE)
CWESourceDescription
CWE-647 cna CWE-647: Use of Non-Canonical URL Paths for Authorization Decisions
CWE-706 cna CWE-706: Use of Incorrectly-Resolved Name or Reference
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.1 HIGH 3.1 cna CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References (3)
Back to overview