CVE-2026-35607HIGH 8.8EPSS p30.0%

CVE-2026-35607CVE-2026-35607

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 ("self-registered users don't get execute perms") stripped Execute permission and Commands from users created via the signup handler. The same fix was not applied to the proxy auth handler. Users auto-created on first successful proxy-auth login are granted execution capabilities from global defaults, even though the signup path was explicitly changed to prevent execution rights from being inherited by automatically provisioned accounts. This vulnerability is fixed in 2.63.1.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.38% probability of exploitation · percentile 30.0% · 2026-06-19T12:03:05Z
Published2026-04-07
Last modified2026-04-16

Underlying weaknesses· 1

CWE-269

References

  1. https://github.com/filebrowser/filebrowser/pull/5890
  2. https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7526-j432-6ppp
  3. https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7526-j432-6ppp

1

TypeTargetConfidenceTier
WeaknessImproper Privilege Managementcwe-2690%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34528
CVE
CVE-2026-32760
CVE
CVE-2026-35604
CVE
CVE-2026-25890
CVE
CVE-2025-52903
CVE
CVE-2025-52904
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.