Main Vulnerability Database Vulnerabilities #VU133483

Link following in FileBrowser - #VU133483

Published: June 8, 2026

Vulnerability identifier: #VU133483

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-59

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: File Browser

Affected software:
FileBrowser

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information and overwrite files outside the intended filebrowser scope.

The vulnerability exists due to improper link resolution before file access in the HTTP file handlers when processing paths that reference symbolic links inside a scoped directory. A remote attacker can access a symlink that points outside the scoped directory to disclose sensitive information and overwrite files outside the intended filebrowser scope.

If public sharing is permitted, the issue can also expose the outside target through a public share. The proof assumes a symlink already exists inside the user's scoped directory, or that another allowed workflow can place it there.

Remediation

Install security update from vendor's website.

Sources

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-239w-m3h6-ch8v

Link following in FileBrowser - #VU133483

Detailed vulnerability description

Remediation

Sources

Please verify you're human