cvedb.io
CVE-2026-34528
HIGH · CVSS 8.1
EPSS exploitation probability: 0%
Published 2026-04-01T21:17:00.660 · Last modified 2026-06-17T10:39:10.730

Summary

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. The Execute permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server. This issue has been patched in version 2.62.2.

Affected products

filebrowser — filebrowser

Does this affect you?

Add your gear to cvedb and we'll alert you only when filebrowser ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.