CVE-2026-25889

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25889

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25889.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25889

Aliases

Downstream

SUSE-SU-2026:0757-1

Related

SUSE-SU-2026:0757-1

Published

2026-02-09T21:18:13.054Z

Modified

2026-03-04T22:29:06.517891Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

File Browser has an Authentication Bypass in User Password Update

Details

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) without providing the current password. By using Title Case field name "Password" instead of lowercase "password" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means. This vulnerability is fixed in 2.57.1.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-178"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25889.json"
}

References

Affected packages

Git / github.com/filebrowser/filebrowser

Affected ranges

Type: GIT
Repo: https://github.com/filebrowser/filebrowser
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e193d43278e79549950d7f0e69af50a38c77f855

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.1.0

v1.1.1

v1.10.0

v1.11.0

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.2.9

v1.3.0

v1.3.1

v1.3.10

v1.3.11

v1.3.12

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.3.8

v1.3.9

v1.4.0

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.6.0

v1.7.0

v1.7.1

v1.8.0

v1.9.0

v2.*

v2.0.0

v2.0.0-rc.1

v2.0.0-rc.2

v2.0.1

v2.0.10

v2.0.11

v2.0.12

v2.0.13

v2.0.14

v2.0.15

v2.0.16

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.0.9

v2.1.0

v2.1.1

v2.1.2

v2.10.0

v2.11.0

v2.12.0

v2.12.1

v2.13.0

v2.14.0

v2.14.1

v2.15.0

v2.16.0

v2.16.1

v2.17.0

v2.17.1

v2.17.2

v2.18.0

v2.19.0

v2.2.0

v2.20.0

v2.20.1

v2.21.0

v2.21.1

v2.22.0

v2.22.1

v2.22.2

v2.22.3

v2.22.4

v2.23.0

v2.24.0

v2.24.1

v2.24.2

v2.25.0

v2.26.0

v2.27.0

v2.28.0

v2.29.0

v2.3.0

v2.30.0

v2.31.0

v2.31.1

v2.31.2

v2.32.0

v2.32.1

v2.32.2

v2.32.3

v2.33.0

v2.33.1

v2.33.10

v2.33.2

v2.33.3

v2.33.4

v2.33.5

v2.33.6

v2.33.7

v2.33.8

v2.33.9

v2.34.0

v2.34.1

v2.34.2

v2.35.0

v2.36.0

v2.36.1

v2.36.2

v2.36.3

v2.37.0

v2.38.0

v2.39.0

v2.4.0

v2.40.0

v2.40.1

v2.40.2

v2.41.0

v2.42.0

v2.42.1

v2.42.2

v2.42.3

v2.42.4

v2.42.5

v2.43.0

v2.44.0

v2.44.1

v2.44.2

v2.45.0

v2.45.1

v2.45.2

v2.45.3

v2.46.0

v2.46.1

v2.47.0

v2.48.0

v2.48.1

v2.48.2

v2.49.0

v2.5.0

v2.50.0

v2.51.0

v2.51.1

v2.51.2

v2.52.0

v2.53.0

v2.53.1

v2.54.0

v2.55.0

v2.56.0

v2.57.0

v2.6.0

v2.6.1

v2.6.2

v2.7.0

v2.8.0

v2.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25889.json"