CVE-2026-54093
MediumCVSS 6.8Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
A vulnerability in File Browser prior to version 2.63.6 allows files with backslash characters in their names to be saved, potentially leading to unauthorized file writes outside the target directory when extracting the archive on Windows systems.
Risk Assessment
Organizations may be exposed to unauthorized access to file systems, which could lead to data loss or the introduction of malware.
Recommendation
It is recommended to update File Browser to version 2.63.6 or later to mitigate this vulnerability.
Original NVD description (English source)
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, filebrowser builds the download-as-zip / download-as-tar archive entry names with filepath.ToSlash, which on a Linux host is a no-op for backslashes (\ is only a path separator on Windows). A file whose name contains Windows-style traversal is accepted by the resource handlers, stored on the Linux filesystem with a literal backslash name, and then emitted verbatim as the archive entry name. Windows extractors interpret \ as a path separator and write the extracted file outside the extraction directory — arbitrary file write on the victim who downloads and extracts the archive. This vulnerability is fixed in 2.63.6.

