CVE-2026-35585 is a high-severity vulnerability in File Browser, a file managing interface, that allows for Remote Code Execution (RCE) via OS command injection. The vulnerability exists in versions 2.0.0 through 2.33.8 and is caused by the hook system's use of os.Expand without sanitization, allowing an attacker with file write permission to craft a malicious filename containing shell metacharacters. Thi [truncated]
CVE-2026-32759 is a vulnerability in the File Browser TUS resumable upload handler. In versions on the 2.x branch prior to 2.33.8, an authenticated user can supply a negative Upload-Length value, which is parsed as a signed 64-bit integer without validation. This allows the user to instantly satisfy the upload completion condition upon the first PATCH request, causing the server to fire after_upload exec [truncated]
