Link following in FileBrowser - CVE-2026-55668

 

Link following in FileBrowser - CVE-2026-55668

Published: June 29, 2026


Vulnerability identifier: #VU135764
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-55668
CWE-ID: CWE-59
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: File Browser
Affected software:
FileBrowser

Detailed vulnerability description

The vulnerability allows a remote user to create files outside their intended scope.

The vulnerability exists due to improper link resolution before file access in ScopedFs when handling write and create operations through a dangling symlink. A remote user can send a specially crafted write request targeting a dangling symlink to create files outside their intended scope.

Exploitation requires Create and Modify permissions and a dangling symlink to a non-existent out-of-scope target to be present inside the user's scope.


How to mitigate CVE-2026-55668

Install security update from vendor's website.

Sources