Link following in FileBrowser - CVE-2026-55668
Published: June 29, 2026
FileBrowser
Detailed vulnerability description
The vulnerability allows a remote user to create files outside their intended scope.
The vulnerability exists due to improper link resolution before file access in ScopedFs when handling write and create operations through a dangling symlink. A remote user can send a specially crafted write request targeting a dangling symlink to create files outside their intended scope.
Exploitation requires Create and Modify permissions and a dangling symlink to a non-existent out-of-scope target to be present inside the user's scope.