Path Normalization Flaw in Filebrowser by Filebrowser Inc.
CVE-2026-61874

2.3LOW

Key Information:

Vendor
CVE Published:
12 July 2026

What is CVE-2026-61874?

Filebrowser versions prior to 2.63.17 exhibit a path normalization vulnerability within the DeleteWithPathPrefix function. This flaw permits authenticated users to manipulate the share index by using trailing-slash paths. As a result, users can delete shared directories, only to recreate them, thereby reopening access to stale public shares, which can lead to unauthorized exposure of sensitive data through outdated URLs.

Affected Version(s)

filebrowser 0 < 2.63.17

filebrowser 2.63.17

References

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

DavidCarliez
hacdias
.