LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-29188

CVE-2026-29188 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 5, 2026

File Browser - Broken Access Control

Published: March 5, 2026Updated: March 5, 2026Remote Exploitable

Overview

File Browser < 2.61.1 contains a broken access control vulnerability caused by improper permission checks in the TUS protocol DELETE endpoint, letting authenticated users with Create permission delete arbitrary files, exploit requires user authentication.

Severity & Score

Severity: Critical
CVSS Score: 9.1

Impact

Authenticated users with limited permissions can delete arbitrary files, potentially causing data loss or disruption.

Mitigation

Upgrade to version 2.61.1 or later.

References

Related Resources

Details

CVE ID
CVE-2026-29188
Severity
Critical
CVSS Score
9.1
Type
broken_access_control
Status
new

CWE

  • CWE-284

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H