Back to overview

CVE-2026-54088

CRITICAL Exploitation: PoC
9.3
CVSS 4.0
Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials (username and password) are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote attacker can inject shell metacharacters in the username or password field at the login screen, causing the server to execute arbitrary OS commands before any authentication takes place. This is a critical pre-authentication RCE. This vulnerability is fixed in 2.63.6.

Metadata

CVE ID
CVE-2026-54088
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-11 18:44 UTC
Published
2026-06-25 17:49 UTC
Last updated
2026-06-25 18:36 UTC
Primary CWE
CWE-78
CWE-78: Improper Neutralization of Special Elements used in …
Vendor / Product
filebrowser / filebrowser
Sources
cve.org  ·  NVD

Severity & Metrics

9.3 CRITICAL CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
filebrowser filebrowser < 2.63.6
Weakness (CWE)
CWESourceDescription
CWE-306 cna CWE-306: Missing Authentication for Critical Function
CWE-78 cna CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-88 cna CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.3 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References (1)
Back to overview