{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "2.32.0" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "3d6c5152fe22a4a47783253a3506a2930b7b6be3" } ], "repo": "https://github.com/filebrowser/filebrowser", "type": "GIT" } ] } ], "aliases": [ "GHSA-3v48-283x-f2w4" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-305" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/52xxx/CVE-2025-52996.json" }, "details": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions 2.32.0 and prior, the implementation of password protected links is error-prone, resulting in potential unprotected sharing of a file through a direct download link. This link can either be shared unknowingly by a user or discovered from various locations such as the browser history or the log of a proxy server used. At time of publication, no known patched versions are available.", "id": "CVE-2025-52996", "modified": "2026-04-01T23:10:01.467089005Z", "published": "2025-06-30T19:58:33.484Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/52xxx/CVE-2025-52996.json" }, { "type": "ADVISORY", "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3v48-283x-f2w4" }, { "type": "ADVISORY", "url": "https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250327-02_Filebrowser_Password_Protection_Of_Links_Bypassable" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52996" }, { "type": "REPORT", "url": "https://github.com/filebrowser/filebrowser/issues/5239" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "type": "CVSS_V3" } ], "summary": "File Browser's Password Protection of Links Vulnerable to Bypass" }