Multiple vulnerabilities have been identified in File Browser, including a critical flaw that allows unauthenticated users to create admin accounts (CVE-2026-32760) and a stored XSS vulnerability (CVE-2026-34530). These vulnerabilities could lead to complete system compromise. Patches are available; users are advised to update immediately.
These vulnerabilities range in severity, with the most critical allowing for complete system takeover.
What is Github.com/filebrowser/filebrowser/v2?
CVE-2026-32760: File Browser Signup Grants Admin Privileges
Critical: Remote, unauthenticated code execution.
EPSS score of 0.017 indicates a low probability of exploitation.
When self-registration is enabled and default user permissions include admin privileges, any unauthenticated visitor can register a full administrator account. The signup handler applies all default settings, including admin permissions, without proper server-side validation.
How to fix CVE-2026-32760 in Github.com/filebrowser/filebrowser/v2
Patch immediately- 1.Update your File Browser installation to version 2.62.0 or later.
go get -u github.com/filebrowser/filebrowser/v2@latestWorkaround: Disable self-registration or ensure default user permissions do not include admin privileges.
NextGuard automatically flags CVE-2026-32760 if Github.com/filebrowser/filebrowser/v2 appears in any of your monitored projects — no manual lookup required.
CVE-2026-32759: File Browser TUS Upload Hook Trigger Vulnerability
Severity not specified.
EPSS score of 0.184 indicates a moderate probability of exploitation.
The TUS resumable upload handler parses the `Upload-Length` header as a signed 64-bit integer without validating that the value is non-negative. A negative value triggers the `after_upload` hook prematurely, even with an empty file.
How to fix CVE-2026-32759 in Github.com/filebrowser/filebrowser/v2
Patch within 7 days- 1.Update your File Browser installation to the latest version.
- 2.Alternatively, disable exec hooks in untrusted environments.
go get -u github.com/filebrowser/filebrowser/v2@latestWorkaround: Disable exec hooks (`enableExec = false`) to mitigate the remote command execution risk.
CVE-2026-32758: File Browser Access Rule Bypass via Path Traversal
Medium: Limited access to restricted paths.
EPSS score of 0.014 indicates a low probability of exploitation.
The `resourcePatchHandler` validates the destination path against configured access rules before cleaning the path. This allows an authenticated user to bypass deny rules by including `..` path traversal sequences in the destination parameter.
How to fix CVE-2026-32758 in Github.com/filebrowser/filebrowser/v2
Patch within 24h- 1.Update your File Browser installation to version 2.62.0 or later.
go get -u github.com/filebrowser/filebrowser/v2@latestCVE-2026-34530: File Browser Stored XSS via Branding Injection
Medium: Stored XSS affecting all users.
EPSS score of 0.057 indicates a low probability of exploitation.
The SPA index page in File Browser is vulnerable to Stored Cross-site Scripting (XSS) via admin-controlled branding fields. An admin who sets `branding.name` to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users.
How to fix CVE-2026-34530 in Github.com/filebrowser/filebrowser/v2
Patch immediately- 1.Update your File Browser installation to version 2.62.2 or later.
go get -u github.com/filebrowser/filebrowser/v2@latestWorkaround: Refrain from using custom branding or sanitize the branding name input to prevent script injection.
Stay ahead of go vulnerabilities
Proactively detect and remediate vulnerabilities in your go projects. Start monitoring your go dependencies with NextGuard today.
Compare PlansFrequently asked questions
Multiple vulnerabilities were discovered in File Browser. It is crucial to update to the latest version to mitigate these risks. see all go vulnerabilities.
Related topics