Cyber Resilience

CVE-2026-32759

MediumPublic PoCUpdated

Published: 20 March 2026

Published
20 March 2026
Modified
09 June 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0190 77.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-32759 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

File Browser versions on the 2.x branch prior to 2.33.8 contain an integer handling flaw in the TUS resumable upload handler at the /api/tus endpoint. The handler treats the Upload-Length header value as a signed 64-bit integer without enforcing a non-negative constraint, so an authenticated user can supply a negative length that immediately satisfies the completion condition on the first PATCH request. This causes the server to invoke any configured after_upload exec hooks against empty or partial files and to create inconsistent cache entries marking nonexistent uploads as complete. The enableExec flag, which is required for hook execution, amplifies the effect from cache corruption to potential command injection or workflow abuse such as S3 ingestion or database writes.

An authenticated attacker can repeatedly trigger the flaw with arbitrary filenames to force expensive hook processing for denial of service, to amplify command injection when malicious filenames reach exec hooks, or to poison downstream upload-driven pipelines. The vulnerability affects all deployments that expose the TUS endpoint, though successful exploitation still requires the instance administrator to have enabled the exec feature despite its documented risks.

The referenced GitHub security advisory and issue tracker indicate that version 2.33.8 disables the exec feature by default for both new and existing installations, thereby removing the pathway to remote command execution while leaving only the lower-severity cache inconsistency.

EPSS for this CVE rose from a low baseline of 0.0015 to a peak of 0.0101, indicating that exploitation interest increased after disclosure and that the issue merits renewed attention.

EU & UK References

Vulnerability details

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions on the 2.x branch prior to 2.33.8, the TUS resumable upload handler parses the Upload-Length header as a signed…

more

64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data. All deployments using the TUS upload endpoint (/api/tus) are affected, with the enableExec flag escalating the impact from cache inconsistency to remote command execution. This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables remote exploitation of public-facing web application (T1190) via crafted PATCH request, facilitating Unix shell command execution through after_upload exec hooks (T1059.004) and application DoS via resource-intensive hooks (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35585Same product: Filebrowser Filebrowser
CVE-2026-34528Same product: Filebrowser Filebrowser
CVE-2026-35605Same product: Filebrowser Filebrowser
CVE-2026-35604Same product: Filebrowser Filebrowser
CVE-2025-64523Same product: Filebrowser Filebrowser
CVE-2026-30933Same product: Filebrowser Filebrowser
CVE-2025-53826Same product: Filebrowser Filebrowser
CVE-2026-32760Same product: Filebrowser Filebrowser
CVE-2026-35607Same product: Filebrowser Filebrowser
CVE-2026-30934Same product: Filebrowser Filebrowser

Affected Assets

filebrowser
filebrowser
≤ 2.61.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of external inputs like the Upload-Length header to ensure non-negative values, preventing the upload completion bypass with negative integers.

prevent

Mandates identification, reporting, and correction of flaws such as the improper signed integer parsing in the TUS handler, enabling timely patching.

prevent

Enforces least functionality by prohibiting or restricting risky features like the TUS endpoint or exec hooks, mitigating exploitation even without a patch.

References