CVE-2026-61874
Severity CVSS v4.0:
LOW
Type:
Unavailable / Other
Publication date:
12/07/2026
Last modified:
12/07/2026
Description
filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path, then recreate the same directory to expose new contents through the dormant public share URL.
Impact
Base Score 4.0
2.30
Severity 4.0
LOW
Base Score 3.x
3.10
Severity 3.x
LOW



