CVE-2025-52904

Name of the Vulnerable Software and Affected Versions: File Browser versions 1.11.0 and earlier, and 2.32.0 through 2.35.0

Description: File Browser provides a file managing interface. The Command Execution feature allows the execution of shell commands without proper scope restrictions, potentially granting an attacker read and write access to all files managed by the server, including password hashes. Exploitation may lead to database compromise, password extraction, or user impersonation. Approximately 3300 instances of File Browser in Runet are estimated to be vulnerable, with over 71% potentially susceptible to attack.

Recommendations: File Browser versions 1.11.0 and earlier: At the moment, there is no information about a newer version that contains a fix for this vulnerability. File Browser versions 2.32.0 through 2.35.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Disable the Execute commands function for all accounts. Operate File Browser from a distroless container image if command execution is not required. Restrict the File Browser process when it is started, for example, by using user namespaces and Bubblewrap. Configure strict file and database permissions.