Vulnerability Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 through 2.63.1, the hook system in File Browser — which executes administrator-defined shell commands on file events such as upload, rename, and delete — is vulnerable to OS command injection. Variable substitution for values like $FILE and $USERNAME is performed via os.Expand without sanitization. An attacker with file write permission can craft a malicious filename containing shell metacharacters, causing the server to execute arbitrary OS commands when the hook fires. This results in Remote Code Execution (RCE). This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Filebrowser | Filebrowser | >= 2.0.0, <= 2.63.1 |
Related Weaknesses (CWE)
References
- https://github.com/filebrowser/filebrowser/issues/5199Patch
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-jvpw-637p-h3ExploitVendor Advisory
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-jvpw-637p-h3ExploitVendor Advisory
FAQ
What is CVE-2026-35585?
CVE-2026-35585 is a vulnerability with a CVSS score of 7.2 (HIGH). File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 through 2.63.1, the hook system in File Browser — wh...
How severe is CVE-2026-35585?
CVE-2026-35585 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35585?
Check the references section above for vendor advisories and patch information. Affected products include: Filebrowser Filebrowser.