File Browser: Path traversal in download-as-zip/tar via Windows-style backslash separators...

6.8 / 10

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, filebrowser builds the download-as-zip / download-as-tar archive entry names with filepath.ToSlash, which on a Linux host is a no-op for backslashes (\ is only a path separator on Windows). A file whose name contains Windows-style traversal is accepted by the resource handlers, stored on the Linux filesystem with a literal backslash name, and then emitted verbatim as the archive entry name. Windows extractors interpret \ as a path separator and write the extracted file outside the extraction directory — arbitrary file write on the victim who downloads and extracts the archive. This vulnerability is fixed in 2.63.6.

Basic Information

ID CVE-2026-54093

Source GitHub_M

Published Jun 25, 2026 at 17:39

Affected Product

Vendor filebrowser

Product filebrowser

Version < 2.63.6

Affected Versions filebrowser filebrowser < 2.63.6

CWE Classification

CWE-22

References

github.com /filebrowser/filebrowser/security/advisories/GHSA-gxjx-7m74-hcq8

{
    "lastseen": "",
    "description": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, filebrowser builds the download-as-zip / download-as-tar archive entry names with filepath.ToSlash, which on a Linux host is a no-op for backslashes (\\ is only a path separator on Windows). A file whose name contains Windows-style traversal is accepted by the resource handlers, stored on the Linux filesystem with a literal backslash name, and then emitted verbatim as the archive entry name. Windows extractors interpret \\ as a path separator and write the extracted file outside the extraction directory \u2014 arbitrary file write on the victim who downloads and extracts the archive. This vulnerability is fixed in 2.63.6.",
    "published": "2026-06-25T17:39:06.613Z",
    "modified": "2026-06-25T17:39:06.613Z",
    "type": "cve",
    "title": "File Browser: Path traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames",
    "source": "GitHub_M",
    "references": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-gxjx-7m74-hcq8",
    "id": "CVE-2026-54093",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "filebrowser filebrowser < 2.63.6",
    "sourceHref": "",
    "cvss": {
        "score": 6.8,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "filebrowser",
    "version": "< 2.63.6",
    "vendor": "filebrowser",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

File Browser: Path traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames_CVE-2026-54093