CVE-2026-35605

Name of the Vulnerable Software and Affected Versions File Browser versions prior to 2.63.1

Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. The Matches() function in rules/rules.go uses strings.HasPrefix() without a trailing directory separator when matching paths against access rules. A rule for /uploads also matches /uploads backup/, potentially granting or denying access to unintended directories.

Recommendations Update to version 2.63.1 or later.