CVE-2026-35604
CWE-863Published: April 7, 2026· Updated: Apr 8, 2026
Official Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, when an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler does not re-check the share owner's current permissions. This vulnerability is fixed in 2.63.1.
Technical Analysis
CVE-2026-35604 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (2)
Quick Facts
Related CVEs (CWE-863)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-35604 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts