PT-2026-57558 · Unknown · Filebrowser
Davidcarliez
+1
·
Published
2026-07-12
·
Updated
2026-07-12
·
CVE-2026-61874
CVSS v3.1
3.1
Low
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
filebrowser versions prior to 2.63.17
Description
Authenticated users can leave stale public shares behind because the software fails to normalize paths before querying the share index in the
DeleteWithPathPrefix() function. An attacker can delete a shared directory by using a path with a trailing slash and subsequently recreate the directory to expose new contents via the dormant public share URL.Recommendations
Update to version 2.63.17 or later.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Filebrowser