CVE-2026-54093
Deferred Deferred - Pending Action
Path Traversal in File Browser

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, filebrowser builds the download-as-zip / download-as-tar archive entry names with filepath.ToSlash, which on a Linux host is a no-op for backslashes (\ is only a path separator on Windows). A file whose name contains Windows-style traversal is accepted by the resource handlers, stored on the Linux filesystem with a literal backslash name, and then emitted verbatim as the archive entry name. Windows extractors interpret \ as a path separator and write the extracted file outside the extraction directory β€” arbitrary file write on the victim who downloads and extracts the archive. This vulnerability is fixed in 2.63.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-54093
EUVD
EUVD-2026-39504
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
filebrowser file_browser to 2.63.6 (exc)
filebrowser filebrowser to 2.63.6 (exc)
filebrowser filebrowser 2.63.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54093 is a path traversal vulnerability in the filebrowser application affecting versions up to 2.63.5. The issue occurs because Windows-style backslash separators in filenames are not properly normalized on Linux systems. The filepath.ToSlash function does not convert backslashes to forward slashes on Linux, so filenames containing backslashes are stored literally.

When a user downloads a folder as a ZIP or TAR archive and extracts it on a Windows system, the backslashes in filenames are interpreted as path separators. This allows files to be extracted outside the intended directory, enabling arbitrary file writes outside the extraction folder.

This vulnerability can be exploited by any authenticated user with Create permission (or anonymous users on signup-enabled instances) to plant malicious files that compromise the systems of users who download and extract the archives on Windows.

Impact Analysis

This vulnerability can lead to arbitrary file writes outside the intended extraction directory on Windows systems when users extract downloaded archives. An attacker can exploit this to overwrite critical system files or executables.

As a result, the attacker may compromise the victim's system by planting malicious files, potentially leading to system instability, unauthorized code execution, or further security breaches.

Detection Guidance

This vulnerability involves malicious filenames containing Windows-style backslash path separators stored on a Linux filesystem by the filebrowser application. Detection involves identifying files with backslashes (\) in their names within directories managed by filebrowser, especially if these files are included in ZIP or TAR archives for download.

On Linux systems, you can use commands to find files with backslashes in their names, for example:

  • find /path/to/filebrowser/root -name '*\\*'

This command searches recursively for files whose names contain a backslash character. Such files may be indicators of exploitation or attempts to exploit the vulnerability.

Additionally, monitoring downloads of ZIP or TAR archives from filebrowser and inspecting their contents for entries with backslashes in their names can help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade the filebrowser application to version 2.63.6 or later, where this vulnerability is fixed by normalizing Windows-style path separators in archive entry names regardless of the host OS.

Until the upgrade can be applied, consider restricting user permissions to prevent unauthorized file creation or modification, especially limiting Create permissions to trusted users only.

Also, educate users to be cautious when downloading and extracting archives from filebrowser, particularly on Windows systems, to avoid extracting files outside intended directories.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54093. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart