Main Vulnerability Database Vulnerabilities #VU125394

#VU125394 Path traversal in FileBrowser - CVE-2026-32758

Published: April 8, 2026

Vulnerability identifier: #VU125394

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-32758

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
FileBrowser

Software vendor:
File Browser

Description

The vulnerability allows a remote user to bypass access rules and write or move files into restricted paths.

The vulnerability exists due to path traversal in the resourcePatchHandler destination parameter when handling PATCH copy or rename requests. A remote user can send a specially crafted PATCH request with dot-dot sequences in the destination parameter to bypass access rules and write or move files into restricted paths.

Exploitation requires Create or Rename permissions, and the issue affects administrator-configured deny rules within the user's BasePathFs scope.

Remediation

Install security update from vendor's website.

External links

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-9f3r-2vgw-m8xp

#VU125394 Path traversal in FileBrowser - CVE-2026-32758

Description

Remediation

External links

Please verify you're human