cvedb.io
CVE-2026-61874
LOW · CVSS 3.1
EPSS exploitation probability: 0%
Published 2026-07-12T12:16:46.117 · Last modified 2026-07-12T12:16:46.117

Summary

filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path, then recreate the same directory to expose new contents through the dormant public share URL.

Does this affect you?

Add your gear to cvedb and we'll alert you only when a vendor you run ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.