CVE-2026-25890HIGH 8.1EPSS p36.4%

CVE-2026-25890CVE-2026-25890

Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By adding multiple slashes (e.g., //private/) to the path, the authorization check fails to match the rule, while the underlying filesystem resolves the path correctly, granting unauthorized access to restricted files. This vulnerability is fixed in 2.57.1.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.46% probability of exploitation · percentile 36.4% · 2026-06-19T12:03:05Z
Published2026-02-09
Last modified2026-02-20

Underlying weaknesses· 2

CWE-706CWE-863

References

  1. https://github.com/filebrowser/filebrowser/commit/489af403a19057f6b6b4b1dc0e48cbb26a202ef9
  2. https://github.com/filebrowser/filebrowser/releases/tag/v2.57.1
  3. https://github.com/filebrowser/filebrowser/security/advisories/GHSA-4mh3-h929-w968

2

TypeTargetConfidenceTier
WeaknessUse of Incorrectly-Resolved Name or Referencecwe-7060%live
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-35604
CVE
CVE-2025-52903
CVE
CVE-2026-29188
CVE
CVE-2025-52904
CVE
CVE-2026-35607
CVE
CVE-2025-53826
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.