CVE-2026-32759

Name of the Vulnerable Software and Affected Versions File Browser versions 2.61.2 and below

Description File Browser has a flaw in its handling of TUS resumable uploads. The software parses the 'Upload-Length' header as a signed 64-bit integer without verifying that the value is non-negative. This allows an authenticated user to provide a negative value, which immediately satisfies the upload completion condition upon the first PATCH request. Consequently, the server triggers 'after upload' execution hooks with empty or partial files. This enables an attacker to repeatedly trigger configured hooks with arbitrary filenames and zero bytes written. The impact ranges from denial of service (DoS) through resource-intensive processing hooks, to command injection amplification when combined with malicious filenames, and abuse of upload-driven workflows. Even without execution hooks enabled, a negative 'Upload-Length' creates inconsistent cache entries where files are marked as complete but contain no data. The issue affects all deployments using the TUS upload endpoint ('/api/tus'), and the 'enableExec' flag escalates the impact from cache inconsistency to remote command execution. The vulnerable code resides in http/tus handlers.go, specifically within the getUploadLength() and tusPatchHandler functions. The completion check uses a signed comparison, meaning any negative uploadLength is always less than newOffset, causing the hook to fire immediately. The API endpoint affected is /api/tus. The vulnerable parameter is Upload-Length.

Recommendations Versions prior to 2.61.2 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.