CVE-2026-32760CRITICAL 9.8EPSS p47.4%

CVE-2026-32760CVE-2026-32760

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, any unauthenticated visitor can register a full administrator account when self-registration (signup = true) is enabled and the default user permissions have perm.admin = true. The signup handler blindly applies all default settings (including Perm.Admin) to the new user without any server-side guard that strips admin from self-registered accounts. The signupHandler is supposed to create unprivileged accounts for new visitors. It contains no explicit user.Perm.Admin = false reset after applying defaults. If an administrator (intentionally or accidentally) configures defaults.perm.admin = true and also enables signup, every account created via the public registration endpoint is an administrator with full control over all files, users, and server settings. This issue has been resolved in version 2.62.0.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.68% probability of exploitation · percentile 47.4% · 2026-06-18T12:00:27Z
Published2026-03-20
Last modified2026-03-23

Underlying weaknesses· 2

CWE-269CWE-284

References

  1. https://github.com/filebrowser/filebrowser/commit/a63573b67eb302167b4c4f218361a2d0c138deab
  2. https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0
  3. https://github.com/filebrowser/filebrowser/security/advisories/GHSA-5gg9-5g7w-hm73

2

TypeTargetConfidenceTier
WeaknessImproper Privilege Managementcwe-2690%live
WeaknessImproper Access Controlcwe-2840%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34528
CVE
CVE-2026-35607
CVE
CVE-2026-35604
CVE
CVE-2026-25890
CVE
CVE-2025-52904
CVE
CVE-2025-52903
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.