CVE-2026-34528
Last modified
CVE-2026-34528 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. EPSS estimates a 0.65% chance of exploitation in the next 30 days.
Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. The Execute permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server. This issue has been patched in version 2.62.2.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Filebrowser | Filebrowser | < 2.62.2 |
References
- https://github.com/filebrowser/filebrowser/releases/tag/v2.62.2Product, Release Notes
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-x8jc-jvqm-pm3fExploit, Mitigation, Vendor Advisory
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-x8jc-jvqm-pm3fExploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-34528?
How severe is CVE-2026-34528?
How do I fix CVE-2026-34528?
Are you affected by CVE-2026-34528?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST