CVE-2026-28492

Name of the Vulnerable Software and Affected Versions File Browser versions prior to 2.61.0

Description File Browser provides a file managing interface. A flaw exists where creating a public share link for a directory allows unauthorized access to sibling directories and their files. The withHashFile middleware in http/public.go incorrectly uses filepath.Dir(link.Path) to determine the filesystem root, resulting in access to the parent directory instead of the intended shared directory. This impacts the /api/public/share/{hash} (directory listing) and /api/public/dl/{hash}/path (file download) API endpoints. The vulnerable parameter is link.Path. This issue allows unauthenticated information disclosure, enabling anyone with a share link to browse and download files from directories outside the intended share.

Recommendations Update File Browser to version 2.61.0 or later.