CVE-2026-32759

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data. All deployments using the TUS upload endpoint (/api/tus) are affected, with the enableExec flag escalating the impact from cache inconsistency to remote command execution. At the time of publication, no patch or mitigation was available to address this issue.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/filebrowser/filebrowser/issues/5199	Issue Tracking
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-ffx7-75gc-jg7c	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-20 00:16

Updated : 2026-03-23 16:54

NVD link : CVE-2026-32759

Mitre link : CVE-2026-32759

CVE.ORG link : CVE-2026-32759

JSON object : View

Products Affected

filebrowser

filebrowser

CWE

CWE-190

Integer Overflow or Wraparound

{"id": "CVE-2026-32759", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-20T00:16:17.270", "references": [{"url": "https://github.com/filebrowser/filebrowser/issues/5199", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-ffx7-75gc-jg7c", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-190"}]}], "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data. All deployments using the TUS upload endpoint (/api/tus) are affected, with the enableExec flag escalating the impact from cache inconsistency to remote command execution. At the time of publication, no patch or mitigation was available to address this issue."}, {"lang": "es", "value": "Navegador de Archivos es una interfaz de gesti\u00f3n de archivos para subir, eliminar, previsualizar, renombrar y editar archivos dentro de un directorio especificado. En las versiones 2.61.2 e inferiores, el gestor de carga reanudable TUS analiza el encabezado Upload-Length como un entero con signo de 64 bits sin validar que el valor no sea negativo, permitiendo a un usuario autenticado proporcionar un valor negativo que satisface instant\u00e1neamente la condici\u00f3n de finalizaci\u00f3n de la carga tras la primera solicitud PATCH. Esto hace que el servidor dispare ganchos de ejecuci\u00f3n 'after_upload' con archivos vac\u00edos o parciales, permitiendo a un atacante activar repetidamente cualquier gancho configurado con nombres de archivo arbitrarios y cero bytes escritos. El impacto abarca desde DoS a trav\u00e9s de ganchos de procesamiento costosos, hasta la amplificaci\u00f3n de la inyecci\u00f3n de comandos cuando se combina con nombres de archivo maliciosos, hasta el abuso de flujos de trabajo impulsados por la carga como la ingesta de S3 o las inserciones en la base de datos. Incluso sin los ganchos de ejecuci\u00f3n habilitados, el Upload-Length negativo crea entradas de cach\u00e9 inconsistentes donde los archivos se marcan como completos pero no contienen datos. Todas las implementaciones que utilizan el punto final de carga TUS (/api/tus) se ven afectadas, con la bandera 'enableExec' escalando el impacto desde la inconsistencia de la cach\u00e9 hasta la ejecuci\u00f3n remota de comandos. En el momento de la publicaci\u00f3n, no hab\u00eda ning\u00fan parche o mitigaci\u00f3n disponible para abordar este problema."}], "lastModified": "2026-03-23T16:54:09.273", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A64EB522-E0AD-4202-A2F6-E35934B210DD", "versionEndIncluding": "2.61.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}