Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-29188

9.1 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 1 month, 1 week ago

File Browser: TUS Delete Endpoint Bypasses Delete Permission Check

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.

References

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm x_refsource_CONFIRM
https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f x_refsource_MISC
https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1 x_refsource_MISC

Affected products

filebrowser

==< 2.61.1

Matching in nixpkgs

pkgs.filebrowser

Filebrowser is a web application for managing files and directories

nixos-unstable 2.57.1
- nixpkgs-unstable 2.57.1
- nixos-unstable-small 2.57.1
nixos-25.11 2.57.1
- nixos-25.11-small 2.57.1
- nixpkgs-25.11-darwin 2.57.1

pkgs.filebrowser-quantum

Access and manage your files from the web

nixos-unstable 1.1.0-stable
- nixpkgs-unstable 1.1.0-stable
- nixos-unstable-small 1.1.0-stable

pkgs.python312Packages.filebrowser-safe

Snapshot of django-filebrowser for the Mezzanine CMS

nixos-25.11 1.1.1
- nixos-25.11-small 1.1.1
- nixpkgs-25.11-darwin 1.1.1

pkgs.python313Packages.filebrowser-safe

Snapshot of django-filebrowser for the Mezzanine CMS

nixos-unstable 1.1.1
- nixpkgs-unstable 1.1.1
- nixos-unstable-small 1.1.1
nixos-25.11 1.1.1
- nixos-25.11-small 1.1.1
- nixpkgs-25.11-darwin 1.1.1

pkgs.python314Packages.filebrowser-safe

Snapshot of django-filebrowser for the Mezzanine CMS

nixos-unstable 1.1.1
- nixpkgs-unstable 1.1.1
- nixos-unstable-small 1.1.1

Package maintainers

@HritwikSinghal Hritwik Singhal <nix@thorin.theoakenshield.com>
@prikhi Pavan Rikhi <pavan.rikhi@gmail.com>
@Denperidge Cat <contact@denperidge.com>
@JocimSus Joachim Susatiyo <joe.susatiyo@gmail.com>