CVE-2026-23849 - File Browser vulnerable to Username Enumeration via Timing Attack in /api/login

CVE ID : CVE-2026-23849 Published : Jan. 19, 2026, 9:15 p.m. | 1 hour, 10 minutes ago Description : File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a