CVE-2026-28492

Name of the Vulnerable Software and Affected Versions File Browser versions prior to 2.61.0

Description File Browser provides a file managing interface. A directory traversal issue exists in public share links prior to version 2.61.0. The withHashFile middleware in http/public.go incorrectly uses filepath.Dir(link.Path) to determine the filesystem root for shared directories. This allows anyone with a share link to access files in sibling directories, leading to unauthenticated information disclosure. The issue affects both directory listing via /api/public/share/{hash} and file download via /api/public/dl/{hash}/path. The root cause is that the filesystem root is set to the parent directory instead of the shared directory itself. This allows access to files outside the intended shared directory.

Recommendations Update File Browser to version 2.61.0 or later.