Zurück zur Liste

File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix — CVE-2026-54097

GitHub · GitHub · CVE-2026-54097

ID
CVE-2026-54097

Datum
2026-06-12

Activity
2026-06-12

Quelle
GitHub

Vendor
GitHub

Risiko
high

CVSS
7.2

EPSS
0.00018

Zusammenfassung

### Summary A low-privileged authenticated user of filebrowser (with `create` + `delete` permissions in their own isolated scope) can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file in their own directory whose logical path happens to be a byte-prefix of another user's stored `share.Link.Path`. The file contents of the…

Produkt

go: github.com/filebrowser/filebrowser | go: github.com/filebrowser/filebrowser/v2

Was tun?

Allgemeine, vorsichtige Schritte (bitte prüfe die offizielle Quelle für Details):

Priorisiere sofort Patches oder Mitigations (hohes akutes Risiko).
Identifiziere betroffene Produktversionen und prüfe, ob du betroffen bist.
Spiele Hersteller-Updates/Patches ein oder setze empfohlene Mitigations um.
Lies das offizielle Advisory für betroffene Versionen und konkrete Schritte.

Offizielles Advisory

Mehr dazu

GitHub GitHub 2026-W24

CVE-2026-0249 GlobalProtect App: Certificate Validation Bypass Vulnerabilities

2026-06-13 CVE-2026-0249

mediumPalo Alto Networks Palo Alto 2026-W24

CVE-2026-0250 GlobalProtect App: Buffer Overflow Vulnerability during connection to Portal or Gateway

2026-06-13 CVE-2026-0250

mediumPalo Alto Networks Palo Alto 2026-W24

File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection

2026-06-13 CVE-2026-54090

highGitHub GitHub 2026-W24

Apache CXF: Mehrere Schwachstellen

2026-06-12 WID-SEC-2026-1895

mediumBSI 2026-W24

Apple macOS: Mehrere Schwachstellen

2026-06-12 WID-SEC-2025-0668

highBSI 2026-W24

Apple macOS: Mehrere Schwachstellen

2026-06-12 WID-SEC-2025-2475

criticalBSI 2026-W24