Vulnerability DatabaseCVE-2026-28492

CVE-2026-28492:
Wolfi vulnerability analysis and mitigation

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. This issue has been patched in version 2.61.0.

Source: NVD

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

7.1

Score

Published March 5, 2026

Severity HIGH

CNA Score 7.1

Affected Technologies

Wolfi
Chainguard

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 12.5

Exploitation Probability (EPSS) N/A

Affected packages and libraries

filebrowser
github.com/filebrowser/filebrowser/v2

Sources

NVD
Chainguard
- Chainguard No FixAdded at: Mar 08, 2026
GitHub Advisory Database
- GoLang Severity HIGHHas FixAdded at: Mar 03, 2026
Homebrew
- Homebrew Severity MEDIUMHas FixAdded at: Mar 12, 2026
Wolfi
- Wolfi No FixAdded at: Mar 08, 2026

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Wolfi vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-40175	CRITICAL	10	JavaScript	grafana-prometheus	No	Yes	Apr 10, 2026
CVE-2026-32316	HIGH	8.2	Wolfi	jq-devel	No	No	Apr 13, 2026
CVE-2026-40227	MEDIUM	5.5	NixOS	systemd	No	Yes	Apr 10, 2026
CVE-2026-40179	MEDIUM	5.3	MinIO	certificate-transparency-fips	No	Yes	Apr 15, 2026
CVE-2026-40228	LOW	2.9	Wolfi	systemd	No	Yes	Apr 10, 2026