Path Traversal in Filebrowser

CVE-2026-35605

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the Matches() function in rules/rules.go uses strings.HasPrefix() without a trailing…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (8.7th percentile) — read the EPSS interpretation.

Affected products

Filebrowser — versions < 2.63.1

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-5q48-q4fm-g3m6 (x_refsource_CONFIRM)
https://github.com/filebrowser/filebrowser/pull/5889 (x_refsource_MISC)