Skip to main content

FileMaker Cloud CVE-2026-43680

| EUVDEUVD-2026-29878 HIGH
Code Injection (CWE-94)
2026-05-12 apple GHSA-9682-24hm-2gh4
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 13, 2026 - 15:57 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
7.2 (None) 7.2 (HIGH)
Patch available
May 13, 2026 - 02:01 EUVD
CVE Published
May 12, 2026 - 22:24 nvd
UNKNOWN (no severity yet)
CVE Published
May 12, 2026 - 22:24 nvd
HIGH 7.2

DescriptionCVE.org

A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands on the underlying host. This issue is fixed in FileMaker Cloud 2.22.0.5.

AnalysisAI

Authenticated administrators with Admin Console access to FileMaker Cloud can execute arbitrary operating system commands on the underlying host by bypassing front-end restrictions on OS Script schedule types. This vulnerability affects all FileMaker Cloud versions prior to 2.22.0.5 and requires high-privilege administrative credentials to exploit. Despite the network attack vector and total technical impact (full system compromise), the low EPSS score (0.13%, 32nd percentile) and SSVC assessment indicating no observed exploitation suggest this is not being actively exploited in the wild, likely due to the high privilege requirement limiting the attacker pool to malicious insiders or compromised admin accounts.

Technical ContextAI

FileMaker Cloud is Claris's database-as-a-service platform enabling teams to deploy custom applications in cloud environments. This vulnerability stems from improper neutralization of special elements used in OS commands (CWE-94: Code Injection), specifically in the scheduled task functionality within the Admin Console. The platform's front-end interface attempted to restrict certain OS Script schedule types, but this client-side validation could be bypassed, allowing authenticated administrators to inject and execute arbitrary operating system commands directly on the host infrastructure. The affected component (cpe:2.3:a:claris:filemaker_cloud) manages scheduled tasks that interact with the underlying operating system, and insufficient server-side input validation enabled command injection through crafted schedule parameters. This represents a classic privilege escalation scenario where administrative web console access translates to operating system-level command execution, breaking the intended isolation between administrative functions and host system access.

RemediationAI

Upgrade FileMaker Cloud to version 2.22.0.5 or later, which contains fixes for the front-end bypass vulnerability, as confirmed in Claris security advisory 000049153 (https://support.claris.com/s/answerview?anum=000049153&language=en_US). Organizations unable to immediately patch should implement compensating controls: restrict Admin Console access through network segmentation (allow only from trusted management networks/jump hosts), enforce multi-factor authentication on all administrator accounts, implement enhanced audit logging for Admin Console sessions with alerts on schedule creation/modification activities, and conduct immediate review of existing scheduled tasks for suspicious OS Script entries. Consider temporarily disabling OS Script scheduling functionality if not operationally required until patching is complete. Note that restricting admin access may impact legitimate administrative workflows, requiring coordination with FileMaker administrators. As this is a cloud-hosted service, patching typically requires coordination with Claris support or may be automatically applied depending on deployment model.

Share

CVE-2026-43680 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy