Main Vulnerability Database Vulnerabilities #VU125394

Path traversal in FileBrowser - CVE-2026-32758

Published: April 8, 2026

Vulnerability identifier: #VU125394

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-32758

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: File Browser

Affected software:
FileBrowser

Detailed vulnerability description

The vulnerability allows a remote user to bypass access rules and write or move files into restricted paths.

The vulnerability exists due to path traversal in the resourcePatchHandler destination parameter when handling PATCH copy or rename requests. A remote user can send a specially crafted PATCH request with dot-dot sequences in the destination parameter to bypass access rules and write or move files into restricted paths.

Exploitation requires Create or Rename permissions, and the issue affects administrator-configured deny rules within the user's BasePathFs scope.

How to mitigate CVE-2026-32758

Install security update from vendor's website.

Sources

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-9f3r-2vgw-m8xp

Path traversal in FileBrowser - CVE-2026-32758

Detailed vulnerability description

How to mitigate CVE-2026-32758

Sources

Please verify you're human