CVE Catalog

CVE-2026-54094

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.46%

37th percentile — higher than 37% of all known CVEs

Summary

File Browser prior to version 2.63.14 does not prevent HTTP file handlers from following symbolic links, allowing users to cross their intended scope boundaries.

Risk Assessment

Allowing users to access files outside their scope may lead to unauthorized access to sensitive data.

Recommendation

It is recommended to upgrade to version 2.63.14 or later to mitigate this vulnerability.

Original NVD description (English source)

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.14, it does not stop the HTTP file handlers from following symbolic links before they open, serve, write, share, or list a file. As a result, a scoped user — and in some cases an unauthenticated public-share recipient — can cross the intended scope boundary by following a symlink whose path is lexically inside their scope but whose target is outside it. This vulnerability is fixed in 2.63.14.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS