Primary

Context

File Browser Path Traversal Vulnerability in Public Share Links Allowing Unauthorized File Access

Vulnerability

Patched

A path traversal vulnerability has been identified in File Browser versions through 2.60.0. When a user creates a public share link for a directory, the 'withHashFile' middleware incorrectly sets the filesystem root to the parent directory of the shared directory. This flaw allows anyone with the share link to browse and download files from all sibling directories, rather than just the intended shared directory.

Impact

This vulnerability leads to unauthorized access and disclosure of files from sibling directories outside the shared directory scope.

Reproduction

To reproduce this vulnerability, create a public share link for a directory containing files. The share link will grant access to all files in the parent directory, including those in sibling directories, bypassing intended access controls.

Remediation

Users can update to File Browser version 2.61.0 or later, where this vulnerability has been patched.

Added: Mar 5, 2026, 9:19 PM

Updated: Mar 5, 2026, 9:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

2.5

exploitability

6.6

remediation

7.7

relevance

3.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

2.5

exploitability

6.6

remediation

7.7

relevance

3.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

File Browser Path Traversal Vulnerability in Public Share Links Allowing Unauthorized File Access

Vulnerability

Impact

Reproduction

Remediation

Affected Products

File Browser

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating