PatchSiren cyber security CVE debrief

CVE-2026-35585 filebrowser CVE debrief

CVE-2026-35585 is a high-severity vulnerability in File Browser, a file managing interface, that allows for Remote Code Execution (RCE) via OS command injection. The vulnerability exists in versions 2.0.0 through 2.33.8 and is caused by the hook system's use of os.Expand without sanitization, allowing an attacker with file write permission to craft a malicious filename containing shell metacharacters. This results in the server executing arbitrary OS commands when the hook fires. The feature has been disabled by default for all installations from v2.33.8 onwards.

Vendor: filebrowser
Product: Unknown
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-04-07
Original CVE updated: 2026-06-09
Advisory published: 2026-04-07
Advisory updated: 2026-06-09

Who should care

Users of File Browser, especially those with file write permission, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability is caused by the hook system's use of os.Expand without sanitization, allowing an attacker with file write permission to craft a malicious filename containing shell metacharacters. This results in the server executing arbitrary OS commands when the hook fires.

Defensive priority

High

Recommended defensive actions

Upgrade to version 2.63.1 or later
Disable the hook system or use a sanitized version of os.Expand
Restrict file write permission to trusted users

Evidence notes

The vulnerability is documented in the CVE record and the NVD detail page. The vendor has also provided a patch and an advisory on GitHub.

Official resources

CVE-2026-35585 CVE record
CVE.org
CVE-2026-35585 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory

CVE-2026-35585 was published on 2026-04-07T17:16:33.980Z and modified on 2026-06-09T13:16:35.980Z.