CVE-2026-32759HIGH 8.1EPSS p77.0%

CVE-2026-32759CVE-2026-32759

filebrowser / filebrowser

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions on the 2.x branch prior to 2.33.8, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked c

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS1.90% probability of exploitation · percentile 77.0% · 2026-06-18T12:00:27Z
Published2026-03-20
Last modified2026-06-09

Underlying weaknesses· 1

CWE-190

References

  1. https://github.com/filebrowser/filebrowser/issues/5199
  2. https://github.com/filebrowser/filebrowser/security/advisories/GHSA-ffx7-75gc-jg7c

1

TypeTargetConfidenceTier
WeaknessInteger Overflow or Wraparoundcwe-1900%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-35585
CVE
CVE-2026-29188
CVE
CVE-2026-25890
CVE
CVE-2026-34529
CVE
CVE-2026-21628
CVE
CVE-2026-28525
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.