CVE-2026-35585
7.2 HIGHFile Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory
Published: 2026-04-07 · Last updated: 2026-06-09
Severity and scoring
- CVSS
- 7.2 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-78, CWE-88
Affected products
| Vendor | Product |
|---|---|
| filebrowser | filebrowser |
Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 until 2.33.8, the hook system in File Browser — which executes administrator-defined shell commands on file events such as upload, rename, and delete — is vulnerable to OS command injection. Variable substitution for values like $FILE and $USERNAME is performed via os.Expand without sanitization. An attacker with file write permission can craft a malicious filename containing shell metacharacters, causing the server to execute arbitrary OS commands when the hook fires. This results in Remote Code Execution (RCE). This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-35585
- [Patch]https://github.com/filebrowser/filebrowser/issues/5199
- [Vendor advisory]https://github.com/filebrowser/filebrowser/security/advisories/GHSA-jvpw-637p-h3pw
- [Vendor advisory]https://github.com/filebrowser/filebrowser/security/advisories/GHSA-jvpw-637p-h3pw
Related CVEs
Same vendor
- CVE-2026-32759 — File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory (8.1 HIGH)
- CVE-2025-52904 — File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and ed... (8.0 HIGH)
- CVE-2025-52903 — File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and ed... (8.0 HIGH)
Same CWE
- CVE-2026-22313 — The device has a webserver that exposes a REST API authenticated with a token on the management network (9.1 CRITICAL)
- CVE-2026-44932 — Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a ... (8.8 HIGH)
- CVE-2026-12398 — A command injection vulnerability was found in galaxy_ng (7.5 HIGH)
- CVE-2026-5416 — Due to the improper neutralization of special elements used in a name parameter a low privileged remote attacker can exploit a command in... (8.8 HIGH)
- CVE-2026-12161 — Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated user ... (8.8 HIGH)