File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create attacker-controlled files outside the user's scope. This issue is fixed in version 2.63.16.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 08 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Filebrowser
Filebrowser filebrowser |
|
| Vendors & Products |
Filebrowser
Filebrowser filebrowser |
|
| Metrics |
ssvc
|
Wed, 08 Jul 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create attacker-controlled files outside the user's scope. This issue is fixed in version 2.63.16. | |
| Title | File Browser: ScopedFs follows a dangling symlink on write, letting a scoped user create files outside their scope | |
| Weaknesses | CWE-22 CWE-59 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-08T16:11:52.007Z
Reserved: 2026-06-17T00:05:03.777Z
Link: CVE-2026-55668
Updated: 2026-07-08T16:11:48.231Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T17:15:02Z