Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands on the underlying host. This issue is fixed in FileMaker Cloud 2.22.0.5.
AnalysisAI
Authenticated administrators with Admin Console access to FileMaker Cloud can execute arbitrary operating system commands on the underlying host by bypassing front-end restrictions on OS Script schedule types. This vulnerability affects all FileMaker Cloud versions prior to 2.22.0.5 and requires high-privilege administrative credentials to exploit. Despite the network attack vector and total technical impact (full system compromise), the low EPSS score (0.13%, 32nd percentile) and SSVC assessment indicating no observed exploitation suggest this is not being actively exploited in the wild, likely due to the high privilege requirement limiting the attacker pool to malicious insiders or compromised admin accounts.
Technical ContextAI
FileMaker Cloud is Claris's database-as-a-service platform enabling teams to deploy custom applications in cloud environments. This vulnerability stems from improper neutralization of special elements used in OS commands (CWE-94: Code Injection), specifically in the scheduled task functionality within the Admin Console. The platform's front-end interface attempted to restrict certain OS Script schedule types, but this client-side validation could be bypassed, allowing authenticated administrators to inject and execute arbitrary operating system commands directly on the host infrastructure. The affected component (cpe:2.3:a:claris:filemaker_cloud) manages scheduled tasks that interact with the underlying operating system, and insufficient server-side input validation enabled command injection through crafted schedule parameters. This represents a classic privilege escalation scenario where administrative web console access translates to operating system-level command execution, breaking the intended isolation between administrative functions and host system access.
RemediationAI
Upgrade FileMaker Cloud to version 2.22.0.5 or later, which contains fixes for the front-end bypass vulnerability, as confirmed in Claris security advisory 000049153 (https://support.claris.com/s/answerview?anum=000049153&language=en_US). Organizations unable to immediately patch should implement compensating controls: restrict Admin Console access through network segmentation (allow only from trusted management networks/jump hosts), enforce multi-factor authentication on all administrator accounts, implement enhanced audit logging for Admin Console sessions with alerts on schedule creation/modification activities, and conduct immediate review of existing scheduled tasks for suspicious OS Script entries. Consider temporarily disabling OS Script scheduling functionality if not operationally required until patching is complete. Note that restricting admin access may impact legitimate administrative workflows, requiring coordination with FileMaker administrators. As this is a cloud-hosted service, patching typically requires coordination with Claris support or may be automatically applied depending on deployment model.
More in Filemaker Cloud
View allSame weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29878
GHSA-9682-24hm-2gh4