filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path, then recreate the same directory to expose new contents through the dormant public share URL.
Metrics
Affected Vendors & Products
References
History
Sun, 12 Jul 2026 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Filebrowser
Filebrowser filebrowser |
|
| Vendors & Products |
Filebrowser
Filebrowser filebrowser |
Sun, 12 Jul 2026 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path, then recreate the same directory to expose new contents through the dormant public share URL. | |
| Title | filebrowser before 2.63.17 Stale Public Share via Trailing-Slash Delete | |
| Weaknesses | CWE-863 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-12T12:06:36.293Z
Reserved: 2026-07-10T21:54:26.760Z
Link: CVE-2026-61874
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-12T13:30:03Z