SB20260408139 - Multiple vulnerabilities in FileBrowser

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260408139

SB20260408139 - Multiple vulnerabilities in FileBrowser

Published: April 8, 2026

Security Bulletin ID SB20260408139
Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Improper privilege management (CVE-ID: CVE-2026-32760)

The vulnerability allows a remote attacker to gain administrative access.

The vulnerability exists due to improper privilege management in the signup handler in http/auth.go when processing self-registration requests. A remote attacker can register a new account through the public signup endpoint to gain administrative access.

Exploitation is possible only when self-registration is enabled and the default user permissions include administrative privileges.


2) Path traversal (CVE-ID: CVE-2026-32758)

The vulnerability allows a remote user to bypass access rules and write or move files into restricted paths.

The vulnerability exists due to path traversal in the resourcePatchHandler destination parameter when handling PATCH copy or rename requests. A remote user can send a specially crafted PATCH request with dot-dot sequences in the destination parameter to bypass access rules and write or move files into restricted paths.

Exploitation requires Create or Rename permissions, and the issue affects administrator-configured deny rules within the user's BasePathFs scope.


3) Incorrect authorization (CVE-ID: CVE-2026-32761)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to incorrect authorization in the public share download flow when handling public share download requests for files shared by a user without download privileges. A remote user can create a public share link and retrieve the shared file content to disclose sensitive information.

Exploitation requires an authenticated user account with share permission enabled while download permission is denied, and the exposed content can then be accessed through an unauthenticated public share URL.


Remediation

Install update from vendor's website.

References