SCA: security update for github.com/filebrowser/filebrowser/v2 (GHSA-6cqf-cfhv-659g)

high Tenable Self-Hosted Container Security Plugin ID 436045

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- File Browser provides a file managing interface within a specified directory and it can be used to upload,
delete, preview, rename and edit files. Versions prior to 2.45.1 have an Insecure Direct Object Reference
(IDOR) vulnerability in the FileBrowser application's share deletion functionality. This vulnerability
allows any authenticated user with share permissions to delete other users' shared links without
authorization checks. The impact is significant as malicious actors can disrupt business operations by
systematically removing shared files and links. This leads to denial of service for legitimate users,
potential data loss in collaborative environments, and breach of data confidentiality agreements. In
organizational settings, this could affect critical file sharing for projects, presentations, or document
collaboration. Version 2.45.1 contains a fix for the issue. (CVE-2025-64523)

See Also

https://github.com/advisories/GHSA-6cqf-cfhv-659g

Plugin Details

Severity: High

ID: 436045

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 11/14/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.84

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-64523

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.2

Threat Score: 5.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/13/2025

Vulnerability Publication Date: 11/12/2025

Reference Information

CVE: CVE-2025-64523