CVE Catalog

CVE-2026-54088

CriticalCVSS 9.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.53%

41th percentile — higher than 41% of all known CVEs

Summary

File Browser prior to version 2.63.6 had a vulnerability in the Hook Authentication feature that allowed delegating login verification to an external shell command. User-supplied credentials were interpolated into this command string without sanitization, enabling remote attackers to execute arbitrary OS commands before any authentication.

Risk Assessment

This vulnerability poses a significant risk to organizations as it allows unauthorized attackers to execute system commands prior to any identity verification, potentially leading to system takeover.

Recommendation

It is recommended to update File Browser to version 2.63.6 or later to mitigate this critical vulnerability. Additionally, consider implementing further security measures to protect against similar attacks.

Original NVD description (English source)

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials (username and password) are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote attacker can inject shell metacharacters in the username or password field at the login screen, causing the server to execute arbitrary OS commands before any authentication takes place. This is a critical pre-authentication RCE. This vulnerability is fixed in 2.63.6.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS