CVE-2026-62843 in File Browser
Summary
by MITRE • 07/15/2026
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.63.6 to 2.63.16, File Browser's archive builder uses strings.ReplaceAll(nameInArchive, "\", "/"), which turns a POSIX filename such as ..\..\evil.sh into the archive entry ../../evil.sh, allowing a user with upload permission to plant a backslash-named file that escapes the extraction directory when another user downloads and extracts the generated zip or tar archive. This issue is fixed in version 2.63.17.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/15/2026
This vulnerability exists within File Browser's archive handling functionality where the application processes filenames during archive creation by replacing backslashes with forward slashes using strings.ReplaceAll(nameInArchive, "\", "/"). The flaw stems from a lack of proper path validation and sanitization during archive building operations. When users upload files through the web interface, the system does not adequately validate or sanitize the filenames before incorporating them into compressed archives such as zip or tar formats.
The technical exploitation occurs when an attacker with upload permissions creates a malicious filename containing backslash characters that are subsequently converted to forward slashes during archive generation. For example, a filename like ..\..\evil.sh gets transformed into ../../evil.sh within the archive structure, allowing the file to escape the intended extraction directory. This represents a classic path traversal vulnerability where the system fails to properly normalize or validate file paths before archiving operations. The vulnerability affects versions between 2.63.6 and 2.63.16, with the issue being resolved in version 2.63.17 through proper filename sanitization.
The operational impact of this vulnerability is significant as it allows unauthorized privilege escalation through archive manipulation. An attacker can place malicious files outside of their intended directory scope by leveraging the path traversal mechanism during archive extraction. This creates potential for privilege escalation, remote code execution, or information disclosure depending on how the extracted files are subsequently processed. The vulnerability specifically targets users who download and extract archives created by other users with upload permissions, making it a cross-user attack vector that can affect multiple system components.
This issue aligns with CWE-22 Path Traversal and CWE-73 Path Traversal in Archive Files, both of which address improper handling of file paths during archive operations. From an ATT&CK perspective, this vulnerability maps to T1059 Command and Scripting Interpreter and T1566 Phishing as attackers could leverage this to deliver malicious payloads through seemingly legitimate archive downloads. The fix implemented in version 2.63.17 should include proper input validation and path normalization that prevents backslash character sequences from being interpreted as directory traversal operators, ensuring that all filenames are properly sanitized before inclusion in compressed archives.
The vulnerability demonstrates the critical importance of proper input sanitization in web applications handling file operations. Security practitioners should implement comprehensive filename validation that rejects or normalizes potentially dangerous path sequences regardless of the operating system platform. Organizations using File Browser should immediately upgrade to version 2.63.17 or later and conduct thorough security reviews of their archive handling processes to prevent similar issues in other components. Additionally, implementing proper access controls and monitoring mechanisms around upload operations can help detect and prevent malicious file uploads that could exploit such vulnerabilities in the future.