Vulnerability Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. This issue has been patched in version 2.61.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Filebrowser | Filebrowser | >= 2.0.0, < 2.61.0 |
Related Weaknesses (CWE)
References
- https://github.com/filebrowser/filebrowser/commit/31194fb57a5b92e7155219d7ec7273Patch
- https://github.com/filebrowser/filebrowser/releases/tag/v2.61.0Release Notes
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-mr74-928f-rwExploitVendor AdvisoryMitigation
FAQ
What is CVE-2026-28492?
CVE-2026-28492 is a vulnerability with a CVSS score of 6.5 (MEDIUM). File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public...
How severe is CVE-2026-28492?
CVE-2026-28492 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-28492?
Check the references section above for vendor advisories and patch information. Affected products include: Filebrowser Filebrowser.