CVE-2026-55667
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk28th percentile — higher than 28% of all known CVEs
Summary
In File Browser before version 2.63.16, an authenticated user with only Create permission can delete files outside their scope (including other tenants' data and the application's database) by exploiting the cleanup path after a failed upload. The ScopedFs.RemoveAll method bypasses symlink protections, and the direct upload handler calls it on a user-controlled path.
Risk Assessment
An attacker can delete critical system files, other tenants' data, or the application database, leading to data loss, service disruption, and system integrity compromise.
Recommendation
Immediately update File Browser to version 2.63.16 or later. If updating is not possible, restrict Create permission to trusted users and monitor logs for suspicious deletion operations.
Original NVD description (English source)
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.16, a scoped, non-admin File Browser user holding only the Create permission can delete arbitrary files outside their scope (other tenants' data, and the application's own database) via the upload failure-cleanup path. ScopedFs.RemoveAll is the one dereferencing operation that skips the symlink guard every other method enforces. The direct-upload handler runs RemoveAll on the user-controlled path during failed-upload cleanup, gated only by Perm.Create. If an escaping directory symlink already exists inside the user's scope, an authenticated create-only user can delete an out-of-scope target, bypassing both the ScopedFs boundary and the Perm.Delete gate. This vulnerability is fixed in 2.63.16.

