Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Admin-only access retains PR:H; RCE on host OS from application-level admin constitutes scope change (S:C), with full C/I/A impact.
Primary rating from Vendor (apple).
CVSS VectorVendor: apple
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
An authenticated administrator may be able to achieve arbitrary code execution on the host system by uploading a malicious file through the Open Source LLM setup feature in the Admin Console. This vulnerability has been addressed in FileMaker Server 26.0.1.
AnalysisAI
Arbitrary code execution on the host operating system is achievable by an authenticated FileMaker Server administrator via a malicious file upload through the Open Source LLM setup feature - specifically the Miniforge installer upload path - in the Admin Console. All FileMaker Server versions prior to 26.0.1 are affected; the flaw is classified as CWE-434 (unrestricted upload of a dangerous file type) and was reported directly by Apple/Claris product security. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid FileMaker Server administrator account (PR:H per CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS score of 4.9 (Medium) using AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N materially understates impact: a vulnerability enabling arbitrary code execution on the host OS should carry I:H and A:H at minimum, and plausibly S:C representing a scope change from the FileMaker application to the host OS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has acquired FileMaker Server administrator credentials - through phishing, credential stuffing, or insider access - connects to the Admin Console over the network, navigates to the Open Source LLM setup feature, and uploads a crafted Miniforge installer binary in place of a legitimate one. The server processes and executes the malicious file, granting the attacker arbitrary code execution on the host OS with the privileges of the FileMaker Server process. … |
| Remediation | Upgrade to FileMaker Server 26.0.1, which addresses this vulnerability per the Claris vendor advisory at https://community.claris.com/en/s/article/Arbitrary-Code-Execution-Vulnerability-Addressed-in-FileMaker-Server-via-Miniforge-Installer-Upload. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Filemaker Server
View allAn XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1 allows a remote atta
Claris International has resolved an issue of potentially allowing unauthorized access to records stored in databases ho
A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homepage could lead to unauthorized access an
Claris FileMaker Server before version 20.3.2 was susceptible to a reflected Cross-Site Scripting vulnerability due to a
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42652
GHSA-xf6h-j6rm-x673