OS Command Injection in File Browser - Affected Product by File Browser Team
CVE-2026-35585

7.5HIGH

Key Information:

Vendor: Filebrowser
Status: Filebrowser
Vendor: CVE Published:; 7 April 2026

🔔 Create Filebrowser Vulnerability Alert

What is CVE-2026-35585?

The File Browser is susceptible to an OS command injection vulnerability due to inadequate sanitization in its hook system, which is designed for handling file actions like upload, rename, and delete. In versions from 2.0.0 to 2.63.1, an attacker holding file write permissions can exploit this flaw by creating a malicious filename containing shell metacharacters. This allows the attacker to execute arbitrary commands on the server when the hook is triggered, potentially leading to Remote Code Execution (RCE). It is important to note that this feature is disabled by default in versions 2.33.8 and later.

Affected Version(s)

filebrowser >= 2.0.0-rc.1, <= 2.63.1

References

https://github.com/filebrowser/filebrowser/security/advis...

x_refsource_CONFIRM

https://github.com/filebrowser/filebrowser/issues/5199

x_refsource_MISC

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35585 Data

JSON