Skip to main content

Elfinder EUVDEUVD-2026-25281

| CVE-2026-41247 HIGH
OS Command Injection (CWE-78)
2026-04-23 security-advisories@github.com GHSA-8q4h-8crm-5cvc
8.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 28, 2026 - 18:57 nvd
Patch available
Patch available
Apr 23, 2026 - 21:01 EUVD
EUVD ID Assigned
Apr 23, 2026 - 19:27 euvd
EUVD-2026-25281
CVE Published
Apr 23, 2026 - 19:17 nvd
HIGH 8.9

DescriptionGitHub Advisory

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background color) parameter is accepted from user input and passed through image resize/rotate processing. In configurations that use the ImageMagick CLI backend, this value is incorporated into shell command strings without sufficient escaping. An attacker able to invoke the resize command with a crafted bg value may achieve arbitrary command execution as the web server process user. This vulnerability is fixed in 2.1.67.

Analysis

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background color) parameter is accepted from user input and passed through image resize/rotate processing. In configurations that use the ImageMagick CLI backend, this value is incorporated into shell command strings without sufficient escaping. An attacker able to invoke the resize command with a crafted bg value may achieve arbitrary command execution as the web server process user. This vulnerability is fixed in 2.1.67.

CVE-2021-32682 CRITICAL POC
9.8 Jun 14

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Rated critical severity (CVSS 9.

CVE-2019-9194 CRITICAL POC
9.8 Feb 26

elFinder before 2.1.48 has a command injection vulnerability in the PHP connector. Rated critical severity (CVSS 9.8), t

CVE-2022-27115 CRITICAL POC
9.8 Apr 11

In Studio-42 elFinder 2.1.60, there is a vulnerability that causes remote code execution through file name bypass for fi

CVE-2021-23394 CRITICAL POC
9.8 Jun 13

The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in

CVE-2022-26960 CRITICAL POC
9.1 Mar 21

connector.minimal.php in std42 elFinder through 2.1.60 is affected by path traversal. Rated critical severity (CVSS 9.1)

CVE-2023-35840 MEDIUM POC
6.5 Jun 19

_joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder before 2.1.62 allows path traversal in the PHP LocalVol

CVE-2024-38909 CRITICAL
9.8 Jul 30

Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Rated critical severity (CVSS 9.8), this vulnerabil

CVE-2018-9110 CRITICAL
9.1 Mar 28

Studio 42 elFinder before 2.1.37 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function

CVE-2018-9109 CRITICAL
9.1 Mar 28

Studio 42 elFinder before 2.1.36 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function

CVE-2019-6257 HIGH
7.7 Jan 14

A Server Side Request Forgery (SSRF) vulnerability in elFinder before 2.1.46 could allow a malicious user to access the

CVE-2019-5884 MEDIUM
5.9 Jan 10

php/elFinder.class.php in elFinder before 2.1.45 leaks information if PHP's curl extension is enabled and safe_mode or o

CVE-2013-1972 MEDIUM
4.3 Jun 24

Cross-site request forgery (CSRF) vulnerability in the elFinder file manager module 6.x-0.x before 6.x-0.8 and 7.x-0.x b

Share

EUVD-2026-25281 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy