CVE-2025-52903

Name of the Vulnerable Software and Affected Versions: File Browser version 2.32.0

Description: The issue concerns the Command Execution feature in File Browser, which allows the execution of shell commands predefined on a user-specific allowlist. However, many tools can execute arbitrary commands, rendering this limitation ineffective. The impact depends on the commands granted to the attacker, but most users with Execute commands permissions can exploit this, gaining full code execution rights with the server process's uid.

Recommendations: For version 2.32.0, completely disable Execute commands for all accounts as a temporary workaround. Consider operating File Browser from a distroless container image as a defense-in-depth measure if command execution is not required. At the moment, there is no information about a newer version that contains a fix for this vulnerability.