CVE-2025-52900 MEDIUM

CVE-2025-52900: File Browser has Insecure File Permissions

Vendor Filebrowser
Product filebrowser
Weakness CWE-276
Published June 26, 2025
Last update June 26, 2025

CVSS base score

5.5/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same is true for the database used by File Browser. On standard servers using File Browser prior to version 2.33.7 where the umask configuration has not been hardened before, this makes all the stated files readable by any operating system account. Version 2.33.7 fixes the issue.

Key dates

02Disclosure timeline

June 26, 2025 CVE published
June 26, 2025 Record updated