CVE-2025-52904: 
Wolfi vulnerability analysis and mitigation

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In version 2.32.0 of the web application, all users have a scope assigned, and they only have access to the files within that scope. The Command Execution feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server (GitHub Advisory).

Shell commands are executed with the uid of the server process without any further restrictions. This means they have access to all files managed by the application from all scopes, even those the user does not have access to in the GUI. The vulnerability allows access to the Filebrowser database file containing password hashes of all accounts. The CVSS v3.1 base score is 8.0 HIGH with vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H (GitHub Advisory).

An attacker with command execution permissions can gain read and write access to all files managed by the server, including files outside their assigned scope. They can extract password hashes of all user accounts enabling offline dictionary attacks, and potentially modify the database to change user passwords and impersonate any account, including administrators (GitHub Advisory).

The maintainers recommend completely disabling Execute commands for all accounts. A patch version has been pushed to disable the feature for all existent installations and make it opt-in. Organizations not requiring command execution should operate Filebrowser from a distroless container image. The feature can be re-activated using the --disable-exec=false flag or FBDISABLEEXEC=false environment variable, though this is not recommended (GitHub Issue, Distroless).