Cyber Resilience

CVE-2026-35585

HighPublic PoCRCEUpdated

Published: 07 April 2026

Published
07 April 2026
Modified
09 June 2026
KEV Added
Patch
CVSS Score v4 7.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 61.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35585 is a high-severity OS Command Injection (CWE-78) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

File Browser is a web-based file management interface that supports operations such as uploading, renaming, and deleting files inside a configured directory. CVE-2026-35585 affects the hook system in versions 2.0.0 through 2.33.8, where administrator-defined shell commands are executed on file events. Variable substitution for placeholders such as $FILE and $USERNAME is performed with Go’s os.Expand function without any sanitization, allowing shell metacharacters to be interpreted by the underlying operating system and resulting in OS command injection (CWE-78, CWE-88).

An attacker who already possesses file-write permission within the managed directory can create or rename a file whose name contains shell metacharacters. When a subsequent file event triggers the configured hook, the server executes the attacker-supplied command, yielding remote code execution with the privileges of the File Browser process. The CVSS 7.5 score reflects network attack vector, low attack complexity once the precondition is met, and high impact on confidentiality, integrity, and availability.

Public advisories hosted on the project’s GitHub repository state that the hook feature has been disabled by default in version 2.33.8 for both new and existing installations. Administrators are advised to upgrade to at least this release and to review any previously defined hooks before re-enabling the functionality.

The associated EPSS score rose from a low baseline to a peak of 0.0109, indicating that exploitation interest increased after disclosure.

EU & UK References

Vulnerability details

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 until 2.33.8, the hook system in File Browser — which executes administrator-defined shell commands on file events such as…

more

upload, rename, and delete — is vulnerable to OS command injection. Variable substitution for values like $FILE and $USERNAME is performed via os.Expand without sanitization. An attacker with file write permission can craft a malicious filename containing shell metacharacters, causing the server to execute arbitrary OS commands when the hook fires. This results in Remote Code Execution (RCE). This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in web file manager directly enables RCE via exploitation of public-facing app (T1190) and arbitrary shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34528Same product: Filebrowser Filebrowser
CVE-2026-32759Same product: Filebrowser Filebrowser
CVE-2026-35605Same product: Filebrowser Filebrowser
CVE-2026-35604Same product: Filebrowser Filebrowser
CVE-2026-32760Same product: Filebrowser Filebrowser
CVE-2025-53826Same product: Filebrowser Filebrowser
CVE-2026-30933Same product: Filebrowser Filebrowser
CVE-2026-35607Same product: Filebrowser Filebrowser
CVE-2025-64523Same product: Filebrowser Filebrowser
CVE-2026-25890Same product: Filebrowser Filebrowser

Affected Assets

filebrowser
filebrowser
2.0.0 — 2.63.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Information Input Validation directly mitigates OS command injection by requiring sanitization and validation of filenames containing shell metacharacters before substitution into hook commands.

prevent

Least Functionality prohibits or restricts the vulnerable hook system unless essential, aligning with the vendor's mitigation of disabling hooks by default.

prevent

Flaw Remediation ensures timely patching to versions (e.g., 2.33.8+) where the hook vulnerability is addressed by default disablement.

References