Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
7.1

File Browser in File Manager Allows Access to Sibling Directories

CVE-2026-28492 GHSA-mr74-928f-rw69
Summary

A security issue in File Manager's file sharing feature allowed users to access and download files from directories outside of the shared folder. This has been fixed in version 2.61.0, so update to the latest version to ensure security. Users who use an older version should restrict access to shared links until they can update.

What to do
  • Update github.com filebrowser to version 2.61.0.
Affected software
VendorProductAffected versionsFix available
github.com filebrowser <= 2.60.0 2.61.0
filebrowser filebrowser > 2.0.0 , <= 2.61.0 –
Original title
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a pub...
Original description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. This issue has been patched in version 2.61.0.
nvd CVSS4.0 7.1
Vulnerability type
CWE-200 Information Exposure
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026