What is CVE-2026-35585?

CVE-2026-35585 is a vulnerability in Filebrowser, classified under OS Command Injection. Published 2026-04-07.

Is CVE-2026-35585 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Filebrowser

CVE-2026-35585

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 through 2.63.1, the hook system in File Browser — which executes administrator-defined shel…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.004 (61.0th percentile) — read the EPSS interpretation.

Affected products

Filebrowser — versions >= 2.0.0-rc.1, <= 2.63.1

Weakness classification (CWE)

Public proof-of-concept exploits

Saku0512/CVE-2026-35585-poc

References

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-jvpw-637p-h3pw (x_refsource_CONFIRM)
https://github.com/filebrowser/filebrowser/issues/5199 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-35585?: CVE-2026-35585 is a vulnerability in Filebrowser, classified under OS Command Injection. Published 2026-04-07.
Is CVE-2026-35585 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.