Vulnerability DatabaseCVE-2026-25890

CVE-2026-25890:
Wolfi vulnerability analysis and mitigation

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By adding multiple slashes (e.g., //private/) to the path, the authorization check fails to match the rule, while the underlying filesystem resolves the path correctly, granting unauthorized access to restricted files. This vulnerability is fixed in 2.57.1.

Source: NVD

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

8.1

Score

Published February 9, 2026

Severity HIGH

CNA Score 8.1

Affected Technologies

Wolfi
Chainguard

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 1.9

Exploitation Probability (EPSS) N/A

Affected packages and libraries

filebrowser
github.com/filebrowser/filebrowser

Sources

NVD
Chainguard
- Chainguard Has FixAdded at: Feb 10, 2026
GitHub Advisory Database
- GoLang Severity HIGHHas FixAdded at: Feb 10, 2026
Homebrew
- Homebrew Severity HIGHHas FixAdded at: Feb 24, 2026
Wolfi
- Wolfi Has FixAdded at: Feb 10, 2026

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Wolfi vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-34040	HIGH	8.8	cAdvisor	docker-fips-29	No	Yes	Mar 31, 2026
CVE-2026-33987	HIGH	7.1	Wolfi	freerdp2	No	Yes	Mar 30, 2026
CVE-2026-33997	MEDIUM	6.8	cAdvisor	docker	No	Yes	Mar 31, 2026
CVE-2026-33995	MEDIUM	5.3	Wolfi	libwinpr	No	Yes	Mar 30, 2026
CVE-2026-34073	LOW	1.7	Python	apache-beam-python-3.13-sdk	No	Yes	Mar 31, 2026