Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 through 2.63.1, the hook system in File Browser — which executes administrator-defined shell commands on file events such as upload, rename, and delete — is vulnerable to OS command injection. Variable substitution for values like $FILE and $USERNAME is performed via os.Expand without sanitization. An attacker with file write permission can craft a malicious filename containing shell metacharacters, causing the server to execute arbitrary OS commands when the hook fires. This results in Remote Code Execution (RCE). This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations.

INFO

Published Date :

2026-04-07T16:20:46.019Z

Last Modified :

2026-04-08T18:51:09.641Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35585 vulnerability.

Vendors Products
Filebrowser
  • Filebrowser
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35585.

URL Resource
https://github.com/filebrowser/filebrowser/issues/5199 cve-icon cve-icon
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-jvpw-637p-h3pw cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability