CVE-2026-35606

Name of the Vulnerable Software and Affected Versions File Browser versions prior to 2.63.1

Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. The resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. The /api/raw, /api/preview, and /api/subtitle endpoints correctly verify this permission before serving content. A user with download: false can read any text file within their scope through bypass paths.

Recommendations Update to version 2.63.1 or later.