{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-14T21:31:10.411","vulnerabilities":[{"cve":{"id":"CVE-2026-23849","sourceIdentifier":"security-advisories@github.com","published":"2026-01-19T21:15:51.653","lastModified":"2026-02-03T14:30:45.250","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a \"short-circuit\" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue."},{"lang":"es","value":"El Navegador de Archivos proporciona una interfaz de gestión de archivos dentro de un directorio especificado y puede ser utilizado para subir, eliminar, previsualizar, renombrar y editar archivos. Antes de la versión 2.55.0, la función JSONAuth. Auth contiene un fallo lógico que permite a atacantes no autenticados enumerar nombres de usuario válidos midiendo el tiempo de respuesta del endpoint /api/login. La vulnerabilidad existe debido a una evaluación de 'cortocircuito' en la lógica de autenticación. Cuando un nombre de usuario no se encuentra en la base de datos, la función devuelve inmediatamente. Sin embargo, si el nombre de usuario sí existe, el código procede a verificar la contraseña usando bcrypt (users.CheckPwd), que es una operación computacionalmente costosa diseñada para ser lenta. Esta diferencia en la ruta de ejecución crea una discrepancia de tiempo medible. La versión 2.55.0 contiene un parche para el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-208"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-203"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*","versionEndExcluding":"2.55.0","matchCriteriaId":"36CB8D4B-1DFD-4F56-81BD-E31B346B0CE5"}]}]}],"references":[{"url":"https://github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prc","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}