Skip to main content

Horde VFS CVE-2026-60102

| EUVDEUVD-2026-42340 HIGH
OS Command Injection (CWE-78)
2026-07-08 VulnCheck GHSA-4crx-2rrv-xxcf
7.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-reachable but requires the non-default SMB VFS driver to be configured (AC:H) plus a low-privileged authenticated account (PR:L); shell command execution yields full C/I/A impact with no scope change.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 17:22 vuln.today

DescriptionCVE.org

Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver where the _escapeShellCommand() method fails to sanitize command substitution sequences, allowing authenticated attackers to inject arbitrary shell commands through user-controlled filenames. Attackers can supply malicious filenames containing unescaped command substitution payloads through operations such as file upload, folder creation, rename, or deletion, which are interpolated into a double-quoted shell context and executed via proc_open() through /bin/sh -c before smbclient runs, resulting in arbitrary command execution on the underlying system.

AnalysisAI

OS command injection in the Horde_Vfs_Smb driver of the Horde Virtual File System (VFS) API before 3.0.1 lets authenticated users execute arbitrary shell commands on the server. The flawed _escapeShellCommand() method fails to neutralize shell command-substitution sequences, so attacker-controlled filenames passed through routine file operations are interpolated into a double-quoted /bin/sh -c context and executed via proc_open() before smbclient runs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privileged Horde account
Delivery
Craft filename with command-substitution payload
Exploit
Trigger VFS upload/rename/delete operation
Execution
Payload interpolated into /bin/sh -c
Impact
Execute arbitrary commands as web service account

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a Horde deployment configured to use the Horde_Vfs_Smb (SMB/CIFS) VFS driver - the non-default backend that invokes smbclient through /bin/sh -c, and (2) a valid low-privileged authenticated account able to perform VFS operations (file upload, folder creation, rename, or deletion). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H) describes a network-reachable, low-complexity flaw that requires low-privilege authentication and carries an attack requirement (AT:P) - reflecting that the deployment must actually use the SMB VFS backend. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with an ordinary authenticated Horde account uploads a file or creates a folder whose name embeds a command-substitution payload such as a backtick or $(...) sequence. When the SMB VFS driver builds the smbclient command line, the payload is evaluated by /bin/sh -c and runs on the server with the privileges of the PHP/web process, giving the attacker arbitrary command execution. …
Remediation Vendor-released patch: upgrade the Horde_Vfs component to v3.0.1 or later (https://github.com/horde/Vfs/releases/tag/v3.0.1), which corrects _escapeShellCommand() as shown in commit 41f74b4acfc144e09013d04dd121e0a5da808361 and PR #10. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Horde VFS and identify the current version. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-60102 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy