Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable but requires the non-default SMB VFS driver to be configured (AC:H) plus a low-privileged authenticated account (PR:L); shell command execution yields full C/I/A impact with no scope change.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver where the _escapeShellCommand() method fails to sanitize command substitution sequences, allowing authenticated attackers to inject arbitrary shell commands through user-controlled filenames. Attackers can supply malicious filenames containing unescaped command substitution payloads through operations such as file upload, folder creation, rename, or deletion, which are interpolated into a double-quoted shell context and executed via proc_open() through /bin/sh -c before smbclient runs, resulting in arbitrary command execution on the underlying system.
AnalysisAI
OS command injection in the Horde_Vfs_Smb driver of the Horde Virtual File System (VFS) API before 3.0.1 lets authenticated users execute arbitrary shell commands on the server. The flawed _escapeShellCommand() method fails to neutralize shell command-substitution sequences, so attacker-controlled filenames passed through routine file operations are interpolated into a double-quoted /bin/sh -c context and executed via proc_open() before smbclient runs. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) a Horde deployment configured to use the Horde_Vfs_Smb (SMB/CIFS) VFS driver - the non-default backend that invokes smbclient through /bin/sh -c, and (2) a valid low-privileged authenticated account able to perform VFS operations (file upload, folder creation, rename, or deletion). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H) describes a network-reachable, low-complexity flaw that requires low-privilege authentication and carries an attack requirement (AT:P) - reflecting that the deployment must actually use the SMB VFS backend. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with an ordinary authenticated Horde account uploads a file or creates a folder whose name embeds a command-substitution payload such as a backtick or $(...) sequence. When the SMB VFS driver builds the smbclient command line, the payload is evaluated by /bin/sh -c and runs on the server with the privileges of the PHP/web process, giving the attacker arbitrary command execution. … |
| Remediation | Vendor-released patch: upgrade the Horde_Vfs component to v3.0.1 or later (https://github.com/horde/Vfs/releases/tag/v3.0.1), which corrects _escapeShellCommand() as shown in commit 41f74b4acfc144e09013d04dd121e0a5da808361 and PR #10. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running Horde VFS and identify the current version. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42340
GHSA-4crx-2rrv-xxcf