File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create attacker-controlled files outside the user's scope. This issue is fixed in version 2.63.16.
Metrics
Affected Vendors & Products
References
History
Wed, 08 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Filebrowser
Filebrowser filebrowser |
|
| Vendors & Products |
Filebrowser
Filebrowser filebrowser |
|
| Metrics |
ssvc
|
Wed, 08 Jul 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create attacker-controlled files outside the user's scope. This issue is fixed in version 2.63.16. | |
| Title | File Browser: ScopedFs follows a dangling symlink on write, letting a scoped user create files outside their scope | |
| Weaknesses | CWE-22 CWE-59 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-08T16:11:52.007Z
Reserved: 2026-06-17T00:05:03.777Z
Link: CVE-2026-55668
Updated: 2026-07-08T16:11:48.231Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T17:15:02Z