CVE-2026-29188HIGH 8.1EPSS p38.1%

CVE-2026-29188CVE-2026-29188

Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS0.49% probability of exploitation · percentile 38.1% · 2026-06-18T12:00:27Z
Published2026-03-05
Last modified2026-03-10

Underlying weaknesses· 2

CWE-284CWE-732

References

  1. https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f
  2. https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1
  3. https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm

2

TypeTargetConfidenceTier
WeaknessImproper Access Controlcwe-2840%live
WeaknessIncorrect Permission Assignment for Critical Resourcecwe-7320%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-25890
CVE
CVE-2026-35604
CVE
CVE-2025-64523
CVE
CVE-2025-53826
CVE
CVE-2025-52903
CVE
CVE-2026-35607
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.