How many CVEs does filebrowser filebrowser have?

filebrowser filebrowser has 33 published CVE records since 2021.

How many filebrowser filebrowser CVEs are in CISA KEV?

None of filebrowser filebrowser's CVEs are currently listed in CISA's Known Exploited Vulnerabilities catalog.

Are there public exploits for filebrowser filebrowser vulnerabilities?

Yes — 28 of filebrowser filebrowser's CVEs have a known public exploit.

Which versions of filebrowser filebrowser are affected?

261 distinct filebrowser filebrowser versions are named across its CVEs. Use the version filter above to see the CVEs affecting a specific version.

What are the most common weakness types in filebrowser filebrowser CVEs?

filebrowser filebrowser's CVEs most often map to these CWE weakness types: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')), CWE-77 (Improper Neutralization of Special Elements used in a Command ('Command Injection')), CWE-269 (Improper Privilege Management), CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')).

How many critical filebrowser filebrowser vulnerabilities are there?

filebrowser filebrowser has 2 critical and 17 high-severity CVEs.

What is the average severity of filebrowser filebrowser CVEs?

The average CVSS base score across filebrowser filebrowser's scored CVEs is 7.1.

filebrowser Vulnerabilities: CVEs, CISA KEV & Security Advisories

Severity and exploitation

How the CVSS severity of filebrowser's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical2

High17

Medium10

Low1

3 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

None of filebrowser's CVEs are currently listed in CISA's KEV catalog.

Public exploits

28 of filebrowser's CVEs have a known public exploit available.

Affected versions and CVEs

Browse every filebrowser version named in a CVE, then pick one to see only the CVEs that affect it.

Specific versions

v2.0.023 CVEs
v2.0.123 CVEs
v2.0.1023 CVEs
v2.0.1123 CVEs
v2.0.1223 CVEs
v2.0.1323 CVEs
v2.0.1423 CVEs
v2.0.1523 CVEs
v2.0.1623 CVEs
v2.0.223 CVEs
v2.0.323 CVEs
v2.0.423 CVEs
v2.0.523 CVEs
v2.0.623 CVEs
v2.0.723 CVEs
v2.0.823 CVEs
v2.0.923 CVEs
v2.1.023 CVEs
v2.1.123 CVEs
v2.1.223 CVEs
v2.10.023 CVEs
v2.11.023 CVEs
v2.12.023 CVEs
v2.12.123 CVEs
v2.13.023 CVEs
v2.14.023 CVEs
v2.14.123 CVEs
v2.15.023 CVEs
v2.2.023 CVEs
v2.3.023 CVEs
v2.4.023 CVEs
v2.5.023 CVEs
v2.6.023 CVEs
v2.6.123 CVEs
v2.6.223 CVEs
v2.7.023 CVEs
v2.8.023 CVEs
v2.9.023 CVEs
v1.0.022 CVEs
v1.0.122 CVEs
v1.0.222 CVEs
v1.1.022 CVEs
v1.1.122 CVEs
v1.10.022 CVEs
v1.11.022 CVEs
v1.2.022 CVEs
v1.2.122 CVEs
v1.2.222 CVEs
v1.2.322 CVEs
v1.2.422 CVEs
v1.2.522 CVEs
v1.2.622 CVEs
v1.2.722 CVEs
v1.2.822 CVEs
v1.2.922 CVEs
v1.3.022 CVEs
v1.3.122 CVEs
v1.3.1022 CVEs
v1.3.1122 CVEs
v1.3.1222 CVEs
v1.3.222 CVEs
v1.3.322 CVEs
v1.3.422 CVEs
v1.3.522 CVEs
v1.3.622 CVEs
v1.3.722 CVEs
v1.3.822 CVEs
v1.3.922 CVEs
v1.4.022 CVEs
v1.4.322 CVEs
v1.4.422 CVEs
v1.4.522 CVEs
v1.4.622 CVEs
v1.5.022 CVEs
v1.5.122 CVEs
v1.5.222 CVEs
v1.5.322 CVEs
v1.5.422 CVEs
v1.5.522 CVEs
v1.6.022 CVEs
v1.7.022 CVEs
v1.7.122 CVEs
v1.8.022 CVEs
v1.9.022 CVEs
v2.0.0-rc.122 CVEs
v2.0.0-rc.222 CVEs
v2.16.022 CVEs
v2.16.122 CVEs
v2.17.022 CVEs
v2.17.122 CVEs
v2.17.222 CVEs
v2.18.021 CVEs
v2.19.021 CVEs
v2.20.021 CVEs
v2.20.121 CVEs
v2.21.021 CVEs
v2.21.121 CVEs
v2.22.021 CVEs
v2.22.121 CVEs
v2.22.221 CVEs
v2.22.321 CVEs
v2.22.421 CVEs
v2.23.021 CVEs
v2.24.021 CVEs
v2.24.121 CVEs
v2.24.221 CVEs
v2.25.020 CVEs
v2.26.020 CVEs
v2.27.020 CVEs
v2.28.020 CVEs
v2.29.020 CVEs
v2.30.020 CVEs
v2.31.020 CVEs
v2.31.120 CVEs
v2.31.220 CVEs
v2.32.020 CVEs
v2.32.119 CVEs
v2.32.219 CVEs
v2.32.319 CVEs
v2.33.019 CVEs
v2.33.119 CVEs
v2.33.219 CVEs
v2.33.319 CVEs
v2.33.419 CVEs
v2.33.519 CVEs
v2.33.619 CVEs
v2.33.717 CVEs
v2.33.817 CVEs
v2.33.916 CVEs
v2.33.1014 CVEs
v2.34.014 CVEs
v2.34.113 CVEs
v2.34.213 CVEs
v2.35.013 CVEs
v2.36.012 CVEs
v2.36.112 CVEs
v2.36.212 CVEs
v2.36.312 CVEs
v2.37.012 CVEs
v2.38.012 CVEs
v2.39.011 CVEs
v2.40.010 CVEs
v2.40.110 CVEs
v2.40.210 CVEs
v2.41.010 CVEs
v2.42.010 CVEs
v2.42.110 CVEs
v2.42.210 CVEs
v2.42.310 CVEs
v2.42.410 CVEs
v2.42.510 CVEs
v2.43.010 CVEs
v2.44.010 CVEs
v2.44.110 CVEs
v2.44.210 CVEs
v2.45.010 CVEs
v2.45.19 CVEs
v2.45.29 CVEs
v2.45.39 CVEs
v2.46.09 CVEs
v2.46.19 CVEs
v2.47.09 CVEs
v2.48.09 CVEs
v2.48.19 CVEs
v2.48.29 CVEs
v2.49.09 CVEs
v2.50.09 CVEs
v2.51.09 CVEs
v2.51.19 CVEs
v2.51.29 CVEs
v2.52.09 CVEs
v2.53.09 CVEs
v2.53.19 CVEs
v2.54.09 CVEs
v2.55.08 CVEs
v2.56.08 CVEs
v2.57.08 CVEs
v2.57.16 CVEs
v2.58.06 CVEs
v2.59.06 CVEs
v2.60.06 CVEs
v2.61.05 CVEs
v2.61.14 CVEs
v2.61.24 CVEs
v1.4.23 CVEs

Version ranges

>= < 2.63.14 CVEs
< 2.62.03 CVEs
< 2.62.23 CVEs
>= < 2.62.03 CVEs
>= < 2.62.23 CVEs
< 2.33.72 CVEs
< 2.57.12 CVEs
< 2.63.12 CVEs
<= 1.2.92 CVEs
<= 2.63.02 CVEs
>= < 2.33.72 CVEs
1.2.1 <= v <= 1.2.12 CVEs
1.3.0 <= v <= 1.3.02 CVEs
2.32.0 <= v <= 2.32.02 CVEs

Fixed in

2.62.03 CVEs
2.62.23 CVEs
6aea2276177c9a5ca21115618e541fd237737f793 CVEs
2.33.72 CVEs
2.57.12 CVEs
2.63.12 CVEs
d6d84e2b48bd4c4268e1774e44a1186e04a8c0542 CVEs
da03728cd7319542850e2ea337beec83c168f69c2 CVEs
e193d43278e79549950d7f0e69af50a38c77f8552 CVEs
08c8ede587240472cd1524e40e514fc2bbc3466e1 CVE
09a26166b4f79446e7174c017380f6db45444e321 CVE
148b3c59422401ff00f255ae3044282d7a42192b1 CVE

Find a version

33 CVEs

Sort

File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands
CVE-2026-35607
Public exploit
Patch
CWE-269
High · CVSS 8.1
EPSS 0.4% (30th pct)2026-04-07
File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check
CVE-2026-35606
Public exploit
Patch
CWE-862
Medium · CVSS 5.3
EPSS 0.3% (19th pct)2026-04-07
File Browser has an access rule bypass via HasPrefix without trailing separator in path matching
CVE-2026-35605
Public exploit
Patch
CWE-22
High · CVSS 7.5
EPSS 0.4% (31th pct)2026-04-07
File Browser share links remain accessible after Share/Download permissions are revoked
CVE-2026-35604
Public exploit
Patch
CWE-863
High · CVSS 8.2
EPSS 0.3% (25th pct)2026-04-07
File Browser has a Command Injection via Hook Runner
CVE-2026-35585
Public exploit
Patch
CWE-88
High · CVSS 7.5
EPSS 1.9% (77th pct)2026-04-07
File Browser is vulnerable to Stored Cross-Site Scripting via text/template branding injection
CVE-2026-34530
Public exploit
Patch
CWE-79
Medium · CVSS 6.9
EPSS 0.4% (27th pct)2026-04-01
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
CVE-2026-34528
Public exploit
Patch
CWE-269
High · CVSS 8.1
EPSS 0.7% (46th pct)2026-04-01
File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file
CVE-2026-34529
Public exploit
Patch
CWE-79
High · CVSS 7.6
EPSS 0.3% (24th pct)2026-04-01
File Browser has an Authorization Policy Bypass in its Public Share Download Flow
CVE-2026-32761
Public exploit
Patch
CWE-639
Medium · CVSS 6.5
EPSS 0.4% (34th pct)2026-03-19
File Browser Self Registration Grants Any User Admin Access When Default Permissions Include Admin
CVE-2026-32760
Public exploit
Patch
CWE-284
Critical · CVSS 10.0
EPSS 0.7% (47th pct)2026-03-19
File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely
CVE-2026-32759
Patch
CWE-190
Medium · CVSS 5.3
EPSS 1.9% (77th pct)2026-03-19
File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter
CVE-2026-32758
Public exploit
Patch
CWE-22
Medium · CVSS 6.5
EPSS 0.4% (30th pct)2026-03-19
FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)
CVE-2026-30934
Public exploit
Patch
CWE-79
High · CVSS 8.9
EPSS 0.3% (26th pct)2026-03-10
FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info
CVE-2026-30933
Public exploit
Patch
CWE-200
High · CVSS 7.5
EPSS 0.5% (41th pct)2026-03-10
File Browser: Path Traversal in Public Share Links Exposes Files Outside Shared Directory
CVE-2026-28492
Public exploit
Patch
CWE-200
High · CVSS 7.1
EPSS 0.3% (24th pct)2026-03-05
File Browser: TUS Delete Endpoint Bypasses Delete Permission Check
CVE-2026-29188
Public exploit
Patch
CWE-732
Critical · CVSS 9.1
EPSS 0.5% (38th pct)2026-03-05
File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL
CVE-2026-25890
Patch
CWE-706
High · CVSS 8.1
EPSS 0.5% (36th pct)2026-02-09
File Browser has an Authentication Bypass in User Password Update
CVE-2026-25889
Patch
CWE-178
Medium · CVSS 5.4
EPSS 0.3% (24th pct)2026-02-09
File Browser vulnerable to Username Enumeration via Timing Attack in /api/login
CVE-2026-23849
Patch
CWE-208
Medium · CVSS 5.3
EPSS 0.4% (33th pct)2026-01-19
FileBrowser has Insecure Direct Object Reference (IDOR) in Share Deletion Function
CVE-2025-64523
Public exploit
Patch
CWE-639
High · CVSS 7.2
EPSS 0.4% (29th pct)2025-11-12
FileBrowser Has Insecure JWT Handling Which Allows Session Replay Attacks after Logout
CVE-2025-53826
Public exploit
CWE-305
High · CVSS 7.7
EPSS 0.5% (39th pct)2025-07-15
File Browser Vulnerable to Uncontrolled Memory Consumption Due to Oversized File Processing
CVE-2025-53893
Public exploit
CWE-400
High · CVSS 7.7
EPSS 0.3% (26th pct)2025-07-15
File Browser Insecurely Handles Passwords
CVE-2025-52997
Public exploit
Patch
CWE-307
Medium · CVSS 5.9
EPSS 0.5% (37th pct)2025-06-30
File Browser's Password Protection of Links Vulnerable to Bypass
CVE-2025-52996
Public exploit
CWE-305
Low · CVSS 3.1
EPSS 0.3% (23th pct)2025-06-30
File Browser vulnerable to command execution allowlist bypass
CVE-2025-52995
Public exploit
Patch
CWE-77
High · CVSS 8.1
EPSS 0.5% (39th pct)2025-06-30
File Browser allows sensitive data to be transferred in URL
CVE-2025-52901
Public exploit
Patch
CWE-598
Medium · CVSS 4.5
EPSS 0.5% (38th pct)2025-06-30
File Browser: Command Execution not Limited to Scope
CVE-2025-52904
Public exploit
Patch
CWE-77
High · CVSS 8.0
EPSS 0.9% (54th pct)2025-06-26
File Browser Allows Execution of Shell Commands That Can Spawn Other Commands
CVE-2025-52903
Public exploit
Patch
CWE-77
High · CVSS 8.0
EPSS 0.9% (55th pct)2025-06-26
File Browser has Stored Cross-Site Scripting vulnerability
CVE-2025-52902
Public exploit
Patch
CWE-79
High · CVSS 7.6
EPSS 0.3% (18th pct)2025-06-26
File Browser has Insecure File Permissions
CVE-2025-52900
Public exploit
Patch
CWE-276
Medium · CVSS 5.5
EPSS 0.2% (9th pct)2025-06-26

Showing 30 of 33

Severity and exploitation

Affected versions and CVEs

Specific versions

Version ranges

Fixed in

filebrowser Vulnerabilities

Overview

Severity and exploitation

Affected versions and CVEs

Specific versions

Version ranges

Fixed in

Common weakness types

Disclosure activity by year

Other filebrowser products

Frequently asked questions

How many CVEs does filebrowser filebrowser have?

How many filebrowser filebrowser CVEs are in CISA KEV?

Are there public exploits for filebrowser filebrowser vulnerabilities?

Which versions of filebrowser filebrowser are affected?

What are the most common weakness types in filebrowser filebrowser CVEs?

How many critical filebrowser filebrowser vulnerabilities are there?

What is the average severity of filebrowser filebrowser CVEs?

References

Track filebrowser vulnerabilities