CVE-2026-25889

Name of the Vulnerable Software and Affected Versions File Browser versions prior to 2.57.1

Description File Browser offers a file management interface for tasks like uploading, deleting, previewing, renaming, and editing files. A flaw in the password validation process, specifically a case-sensitivity issue, allows authenticated users to modify their passwords—or, for administrators, any user's password—without providing the current password. This bypass occurs when the 'Password' field is capitalized in the API request instead of using lowercase 'password', effectively circumventing the current password verification. Successful exploitation, potentially through methods like cross-site scripting (XSS) or session hijacking to obtain a valid JSON Web Token (JWT), can lead to account takeover. The vulnerable parameter is password. The affected API endpoint is not explicitly mentioned.

Recommendations Update to version 2.57.1 or later.