VDB
CVE-2026-25889
CVE-2026-25889
PUBLISHED
CVSS 5.400000095367432 MEDIUM
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) without providing the current password. By using Title Case field name "Password" instead of lowercase "password" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means. This vulnerability is fixed in 2.57.1.
EPSS 0.02% · 4.2th percentile
Risk Scores
CVSS v3.1
5.400000095367432
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Score
0.02%
4.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | filebrowser/filebrowser/v2 | 0, 0 |
| filebrowser | filebrowser | 0, < 2.57.1, * |
Timeline
- Feb 6, 2026 CVE ID Reserved
- Feb 9, 2026 CVE Published
- Feb 10, 2026 EPSS Score
- Feb 10, 2026 PoC Published
- Feb 10, 2026 CVE Updated
- Feb 12, 2026 EPSS Score
- Feb 14, 2026 EPSS Score
- Feb 16, 2026 EPSS Score
- Feb 18, 2026 EPSS Score
- Feb 20, 2026 EPSS Score
- Feb 22, 2026 EPSS Score
- Feb 24, 2026 EPSS Score
References
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hxw8-4h9j-hq2r url
- https://github.com/filebrowser/filebrowser/commit/ff2f00498cff151e2fb1f5f0b16963bf33c3d6d4 url
- https://github.com/filebrowser/filebrowser/releases/tag/v2.57.1 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-25889 advisory
- https://github.com/filebrowser/filebrowser package