Vulnerability DatabaseCVE-2026-35606

CVE-2026-35606:
Wolfi vulnerability analysis and mitigation

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other content-serving endpoints (/api/raw, /api/preview, /api/subtitle) correctly verify this permission before serving content. A user with download: false can read any text file within their scope through two bypass paths. This vulnerability is fixed in 2.63.1.

Source: NVD

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

5.3

Score

Published April 7, 2026

Severity MEDIUM

CNA Score 5.3

Affected Technologies

Wolfi
Chainguard

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 13.1

Exploitation Probability (EPSS) N/A

Affected packages and libraries

filebrowser
github.com/filebrowser/filebrowser/v2

Sources

NVD
Chainguard
- Chainguard Has FixAdded at: Apr 09, 2026
GitHub Advisory Database
- GoLang Severity MEDIUMHas FixAdded at: Apr 09, 2026
Wolfi
- Wolfi Has FixAdded at: Apr 09, 2026

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Wolfi vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-40175	CRITICAL	10	JavaScript	grafana-prometheus	No	Yes	Apr 10, 2026
CVE-2026-32316	HIGH	8.2	Wolfi	jq-devel	No	No	Apr 13, 2026
CVE-2026-40227	MEDIUM	5.5	NixOS	systemd	No	Yes	Apr 10, 2026
CVE-2026-40179	MEDIUM	5.3	MinIO	certificate-transparency-fips	No	Yes	Apr 15, 2026
CVE-2026-40228	LOW	2.9	Wolfi	systemd	No	Yes	Apr 10, 2026