CVE-2026-35585

Name of the Vulnerable Software and Affected Versions File Browser versions 2.0.0 through 2.63.1

Description File Browser, a file managing interface, has an issue in its hook system. This system executes administrator-defined shell commands on file events (upload, rename, delete). Variable substitution using os.Expand lacks sanitization, allowing an attacker with file write permission to inject OS commands through malicious filenames containing shell metacharacters. This can lead to Remote Code Execution (RCE). The feature is disabled by default from version 2.33.8 onwards.

Recommendations For versions 2.0.0 through 2.33.7, ensure the hook system is disabled. For versions 2.33.8 through 2.63.1, verify the hook system is disabled. If the hook system is required, avoid using variable substitution or implement robust sanitization of input values like FILE and USERNAME before using os.Expand.