CVE-2026-34528CRITICAL 9.8EPSS p46.5%

CVE-2026-34528CVE-2026-34528

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. The Execute permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server. This issue has been patched in version 2.62.2.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.65% probability of exploitation · percentile 46.5% · 2026-06-19T12:03:05Z
Published2026-04-01
Last modified2026-04-06

Underlying weaknesses· 1

CWE-269

References

  1. https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2
  2. https://github.com/filebrowser/filebrowser/security/advisories/GHSA-x8jc-jvqm-pm3f
  3. https://github.com/filebrowser/filebrowser/security/advisories/GHSA-x8jc-jvqm-pm3f

1

TypeTargetConfidenceTier
WeaknessImproper Privilege Managementcwe-2690%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-35607
CVE
CVE-2026-32760
CVE
CVE-2025-52904
CVE
CVE-2025-52903
CVE
CVE-2026-35585
CVE
CVE-2026-35604
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.