CVE-2026-55668 in File Browserinfo

Summary

by MITRE • 07/08/2026

File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create attacker-controlled files outside the user's scope. This issue is fixed in version 2.63.16.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability in File Browser affects versions prior to 263.16 and relates to improper validation of file system operations involving symbolic links. This represents a critical access control flaw that allows authenticated users with minimal permissions to escape their designated file scope. The issue stems from how the ScopedFs component handles dangling symbolic links during file creation processes, creating a path traversal condition that bypasses intended security boundaries.

The technical implementation flaw occurs when the system validates the nearest existing ancestor of a dangling symlink and determines it as in scope, subsequently following the symlink to complete file operations. This validation process fails to properly account for the potential for path manipulation through symbolic link resolution. Attackers can exploit this by creating or modifying symbolic links that point outside their intended directory scope, then triggering file creation operations that traverse these links to write files elsewhere on the system.

The operational impact of this vulnerability extends beyond simple privilege escalation as it enables arbitrary file creation outside designated user boundaries. An authenticated user with only Create and Modify permissions can leverage this flaw to place malicious files in system directories or other users' scopes, potentially leading to persistent access, data exfiltration, or system compromise. The vulnerability essentially undermines the core principle of scoped file operations that File Browser implements for user isolation.

This issue aligns with CWE-22 Path Traversal and CWE-73 Improper Neutralization of Special Elements in Output Used by a Downstream Component, representing a classic path manipulation attack vector. From an ATT&CK perspective, this maps to T1059 Command and Scripting Interpreter and T1496 Resource Hijacking, as attackers can use the vulnerability to place malicious executables or scripts in system locations. The vulnerability also demonstrates poor input validation practices and inadequate sandboxing of file operations.

Mitigation strategies should focus on implementing proper symlink resolution checks that prevent traversal beyond intended scopes regardless of symbolic link state. Organizations should immediately upgrade to version 2.63.16 or later where this issue has been patched, while also implementing additional monitoring for suspicious file creation patterns in system directories. Network segmentation and principle of least privilege enforcement can help limit potential damage from exploitation attempts, though the primary fix requires proper validation of all file operations through symbolic link resolution paths.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!