File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection in github.com/filebrowser/filebrowser
{ "url": "https://pkg.go.dev/vuln/GO-2026-5250", "review_status": "UNREVIEWED" }
"https://vuln.go.dev/ID/GO-2026-5250.json"