Is Command Injection affected by CVE-2026-35585?

File Browser versions 2.0.0 through 2.63.1 contain a remote code execution vulnerability that allows authenticated administrators to execute arbitrary operating system commands through malicious filenames, potentially compromising server integrity and data confidentiality.

CVE-2026-35585

EUVD-2026-19775 HIGH

2026-04-07 GitHub_M

GHSA-jvpw-637p-h3pw

7.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

EUVD ID Assigned

Apr 07, 2026 - 17:00 euvd

EUVD-2026-19775

Analysis Generated

Apr 07, 2026 - 17:00 vuln.today

CVE Published

Apr 07, 2026 - 16:20 nvd

HIGH 7.5

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 through 2.63.1, the hook system in File Browser - which executes administrator-defined shell commands on file events such as upload, rename, and delete - is vulnerable to OS command injection. Variable substitution for values like $FILE and $USERNAME is performed via os.Expand without sanitization. An attacker with file write permission can craft a malicious filename containing shell metacharacters, causing the server to execute arbitrary OS commands when the hook fires. This results in Remote Code Execution (RCE). This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations.

Analysis

Remote code execution in File Browser versions 2.0.0 through 2.63.1 allows authenticated administrators to execute arbitrary OS commands via malicious filenames. The vulnerability stems from unsanitized variable substitution in the hook system, which processes file events (upload, rename, delete) using administrator-defined shell commands. …

Remediation

Within 24 hours: Inventory all File Browser deployments and document current versions in use; disable the hook system feature if enabled in administrative settings. Within 7 days: Restrict file write permissions to trusted users only and audit recent file uploads for suspicious filenames containing shell metacharacters (e.g., $(), backticks, |, &, ;); upgrade to File Browser v2.33.8 or later if possible to benefit from the default-disabled mitigation. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.8

CVSS: +38

POC: 0

CVE-2026-35585 vulnerability details – vuln.today

Back

CVE-2026-35585

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-35585

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code