Nixpkgs security tracker

Login with GitHub

Suggestions search

Published
Filter by:
With package: filebrowser

Found 8 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-34528
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 13 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 16 hours ago
  • @LeSuisse removed package filebrowser-quantum 13 hours ago
  • @LeSuisse removed package python312Packages.filebrowser-safe 13 hours ago
  • @LeSuisse removed package python313Packages.filebrowser-safe 13 hours ago
  • @LeSuisse removed package python314Packages.filebrowser-safe 13 hours ago
  • @LeSuisse accepted 13 hours ago
  • @LeSuisse published on GitHub 13 hours ago
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. The Execute permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server. This issue has been patched in version 2.62.2.

Affected products

filebrowser
  • ==< 2.62.2

Matching in nixpkgs

Ignored packages (4)

Package maintainers

Advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-x8jc-jvqm-pm3f
Permalink CVE-2026-34530
6.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 13 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 16 hours ago
  • @LeSuisse removed package filebrowser-quantum 13 hours ago
  • @LeSuisse removed package python312Packages.filebrowser-safe 13 hours ago
  • @LeSuisse removed package python313Packages.filebrowser-safe 13 hours ago
  • @LeSuisse removed package python314Packages.filebrowser-safe 13 hours ago
  • @LeSuisse accepted 13 hours ago
  • @LeSuisse published on GitHub 13 hours ago
File Browser is vulnerable to Stored Cross-Site Scripting via text/template branding injection

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA index page in File Browser is vulnerable to Stored Cross-Site Scripting (XSS) via admin-controlled branding fields. An admin who sets branding.name to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users. This issue has been patched in version 2.62.2.

Affected products

filebrowser
  • ==< 2.62.2

Matching in nixpkgs

Ignored packages (4)

Package maintainers

Advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-xfqj-3vmx-63wv
Permalink CVE-2026-34529
7.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 13 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 16 hours ago
  • @LeSuisse removed package filebrowser-quantum 13 hours ago
  • @LeSuisse removed package python312Packages.filebrowser-safe 13 hours ago
  • @LeSuisse removed package python313Packages.filebrowser-safe 13 hours ago
  • @LeSuisse removed package python314Packages.filebrowser-safe 13 hours ago
  • @LeSuisse accepted 13 hours ago
  • @LeSuisse published on GitHub 13 hours ago
File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the EPUB preview function in File Browser is vulnerable to Stored Cross-Site Scripting (XSS). JavaScript embedded in a crafted EPUB file executes in the victim's browser when they preview the file. This issue has been patched in version 2.62.2.

Affected products

filebrowser
  • ==< 2.62.2

Matching in nixpkgs

Ignored packages (4)

Package maintainers

Advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-5vpr-4fgw-f69h
Permalink CVE-2026-29188
9.1 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 weeks, 5 days ago by @mweinelt Activity log
  • Created automatic suggestion 3 weeks, 6 days ago
  • @mweinelt removed package python314Packages.filebrowser-safe 3 weeks, 5 days ago
  • @mweinelt removed package python313Packages.filebrowser-safe 3 weeks, 5 days ago
  • @mweinelt removed package python312Packages.filebrowser-safe 3 weeks, 5 days ago
  • @mweinelt removed package filebrowser-quantum 3 weeks, 5 days ago
  • @mweinelt accepted 3 weeks, 5 days ago
  • @mweinelt published on GitHub 3 weeks, 5 days ago
File Browser: TUS Delete Endpoint Bypasses Delete Permission Check

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.

Affected products

filebrowser
  • ==< 2.61.1

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-28492
updated 3 weeks, 5 days ago by @mweinelt Activity log
  • Created automatic suggestion 3 weeks, 6 days ago
  • @mweinelt removed package filebrowser-quantum 3 weeks, 5 days ago
  • @mweinelt removed package python312Packages.filebrowser-safe 3 weeks, 5 days ago
  • @mweinelt removed package python313Packages.filebrowser-safe 3 weeks, 5 days ago
  • @mweinelt removed package python314Packages.filebrowser-safe 3 weeks, 5 days ago
  • @mweinelt accepted 3 weeks, 5 days ago
  • @mweinelt published on GitHub 3 weeks, 5 days ago
File Browser: Path Traversal in Public Share Links Exposes Files Outside Shared Directory

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. This issue has been patched in version 2.61.0.

Affected products

filebrowser
  • ==< 2.61.0

Matching in nixpkgs

Package maintainers

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-mr74-928f-rw69
https://github.com/filebrowser/filebrowser/commit/31194fb57a5b92e7155219d7ec7273028fcb2e83
Permalink CVE-2026-25890
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 3 weeks ago
  • @LeSuisse removed package filebrowser-quantum 1 month, 3 weeks ago
  • @LeSuisse removed package python312Packages.filebrowser-safe 1 month, 3 weeks ago
  • @LeSuisse removed package python313Packages.filebrowser-safe 1 month, 3 weeks ago
  • @LeSuisse removed package python314Packages.filebrowser-safe 1 month, 3 weeks ago
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 3 weeks ago
File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By adding multiple slashes (e.g., //private/) to the path, the authorization check fails to match the rule, while the underlying filesystem resolves the path correctly, granting unauthorized access to restricted files. This vulnerability is fixed in 2.57.1.

Affected products

filebrowser
  • ==< 2.57.2

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/aardappel/lobster/issues/395
Upstream patch: https://github.com/filebrowser/filebrowser/commit/489af403a19057f6b6b4b1dc0e48cbb26a202ef9
Permalink CVE-2026-25889
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 3 weeks ago
  • @LeSuisse removed package filebrowser-quantum 1 month, 3 weeks ago
  • @LeSuisse removed package python312Packages.filebrowser-safe 1 month, 3 weeks ago
  • @LeSuisse removed package python313Packages.filebrowser-safe 1 month, 3 weeks ago
  • @LeSuisse removed package python314Packages.filebrowser-safe 1 month, 3 weeks ago
  • @LeSuisse accepted 1 month, 3 weeks ago
  • @LeSuisse published on GitHub 1 month, 3 weeks ago
File Browser has an Authentication Bypass in User Password Update

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) without providing the current password. By using Title Case field name "Password" instead of lowercase "password" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means. This vulnerability is fixed in 2.57.1.

Affected products

filebrowser
  • ==< 2.57.1

Matching in nixpkgs

Package maintainers

Upstream advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hxw8-4h9j-hq2r
Upstream patch: https://github.com/filebrowser/filebrowser/commit/ff2f00498cff151e2fb1f5f0b16963bf33c3d6d4
Permalink CVE-2026-23849
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse removed package python312Packages.filebrowser-safe 2 months, 1 week ago
  • @LeSuisse removed package python313Packages.filebrowser-safe 2 months, 1 week ago
  • @LeSuisse removed maintainer @prikhi 2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago
File Browser vulnerable to Username Enumeration via Timing Attack in /api/login

File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue.

Affected products

filebrowser
  • ==< 2.55.0

Matching in nixpkgs

pkgs.filebrowser

Filebrowser is a web application for managing files and directories

Package maintainers

Upstream advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prc
Upstream patch: https://github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889