VDB
CVE-2026-29188
CVE-2026-29188
PUBLISHED
CVSS 9.100000381469727 CRITICAL
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.
EPSS 0.03% · 8.0th percentile
Risk Scores
CVSS v3.1
9.100000381469727
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score
0.03%
8.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | filebrowser/filebrowser/v2 | 0, 0 |
| filebrowser | filebrowser | < 2.61.1, 0, < 2.61.1 |
Timeline
- Mar 4, 2026 CVE Published
- Mar 5, 2026 CVE Updated
- Mar 5, 2026 PoC Published
- Mar 6, 2026 EPSS Score
- Mar 7, 2026 EPSS Score
- Mar 7, 2026 PoC Published
- Mar 8, 2026 EPSS Score
- Mar 10, 2026 EPSS Score
- Mar 11, 2026 EPSS Score
- Mar 12, 2026 EPSS Score
- Mar 13, 2026 EPSS Score
- Mar 14, 2026 EPSS Score
References
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm url
- https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f url
- https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-29188 advisory
- https://github.com/filebrowser/filebrowser package