CVE-2026-61874 PUBLISHED

filebrowser before 2.63.17 Stale Public Share via Trailing-Slash Delete

Assigner: VulnCheck
Reserved: 10.07.2026 Published: 12.07.2026 Updated: 12.07.2026

filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path, then recreate the same directory to expose new contents through the dormant public share URL.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 2.3

Product Status

Vendor filebrowser
Product filebrowser
Versions Default: unaffected
  • affected from 0 to 2.63.17 (excl.)
  • Version 2.63.17 is unaffected

Credits

  • DavidCarliez reporter
  • hacdias finder

References

Problem Types

  • Incorrect Authorization CWE