The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
RCE
PHP
File Upload
Elfinder
NVD
GitHub
CVSS 3.1
9.8
EPSS
19.1%