CVE-2026-61874

Severity CVSS v4.0:
LOW
Type:
Unavailable / Other
Publication date:
12/07/2026
Last modified:
12/07/2026

Description

filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path, then recreate the same directory to expose new contents through the dormant public share URL.