Path Traversal Vulnerability in File Browser by File Browser Team
CVE-2026-32758

6.5MEDIUM

Key Information:

Vendor

Filebrowser

Status
Filebrowser
Vendor
CVE Published:
19 March 2026

What is CVE-2026-32758?

File Browser, a file management tool, is susceptible to a path traversal vulnerability in versions 2.61.2 and below. This flaw, found in the resourcePatchHandler, arises when the system improperly validates the destination path before normalizing it. An authenticated user with Create or Rename permissions can exploit this vulnerability by inserting '..' sequences into the destination parameter of a PATCH request. This action bypasses administrator-defined deny rules, which may allow files to be written or moved into restricted directories. However, the vulnerability is limited to the user's BasePathFs scope, preventing access to read from highly restricted paths. The issue has been resolved in version 2.62.0.

Affected Version(s)

filebrowser < 2.62.0

References

https://github.com/filebrowser/filebrowser/security/advis...
x_refsource_CONFIRM
https://github.com/filebrowser/filebrowser/commit/4bd7d69...
x_refsource_MISC
https://github.com/filebrowser/filebrowser/releases/tag/v...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.