CVE Catalog

CVE-2026-54090

HighCVSS 8.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile — higher than 24% of all known CVEs

Summary

File Browser before version 2.33.8 allows bypassing the command allowlist using shell metacharacters. The allowlist only validates the first token of user input, but the entire raw string is passed to the shell, allowing arbitrary commands to be executed after a permitted one.

Risk Assessment

An attacker can execute arbitrary system commands on the server, potentially leading to application compromise, data theft, or further attacks on the infrastructure.

Recommendation

Immediately update File Browser to version 2.33.8 or later, which contains a fix for this vulnerability.

Original NVD description (English source)

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell interpreter is configured (e.g. /bin/sh -c), the command allowlist can be bypassed through shell metacharacters. The allowlist validates only the first token of user input, but the entire raw string is handed to the shell — semicolons, pipes, backticks, and $() all work to chain arbitrary commands after a permitted one. This vulnerability is fixed in 2.33.8.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS