File Management Interface Vulnerability in File Browser by File Browser
CVE-2026-32759

5.3MEDIUM

Key Information:

Vendor: Filebrowser
Status: Filebrowser
Vendor: CVE Published:; 19 March 2026

🔔 Create Filebrowser Vulnerability Alert

What is CVE-2026-32759?

The File Browser product, specifically in versions 2.61.2 and below, contains a vulnerability in its file management interface associated with the TUS resumable upload handler. This vulnerability arises from the improper handling of the Upload-Length header, allowing authenticated users to exploit a flaw that permits the submission of negative values. This can lead to the triggering of after_upload exec hooks with empty or partial files, enabling potential denial of service due to excessive resource consumption and severe implications for system integrity when paired with malicious filenames. Even in scenarios where exec hooks are disabled, the negative Upload-Length results in incorrect cache entries, falsely indicating that uploads are complete. This vulnerability affects all deployments that utilize the TUS upload endpoint, with implications for not only command execution but also issues in workflows relying on accurate file uploads.

Affected Version(s)

filebrowser <= 2.61.2

References

https://github.com/filebrowser/filebrowser/security/advis...

x_refsource_CONFIRM

https://github.com/filebrowser/filebrowser/issues/5199

x_refsource_MISC

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 19, 2026
Vulnerability Reserved
Mar 13, 2026

CVE-2026-32759 Data

JSON