GHSA-7cj6-cw3p-4jpwLowCVSS 3.1

filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in...

Published
July 12, 2026
Last Modified
July 12, 2026

🔗 CVE IDs covered (1)

📋 Description

filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path, then recreate the same directory to expose new contents through the dormant public share URL.

🔗 References (5)