Main Vulnerability Database Vulnerabilities #VU133481

OS Command Injection in FileBrowser - #VU133481

Published: June 8, 2026

Vulnerability identifier: #VU133481

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: File Browser

Affected software:
FileBrowser

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary os commands.

The vulnerability exists due to command injection in HookAuth.RunCommand in auth/hook.go when processing login requests through the hook authentication feature. A remote attacker can send a specially crafted username or password value to execute arbitrary os commands.

Only instances with the hook authentication feature enabled are vulnerable, and exploitation occurs before authentication is completed.

Remediation

Install security update from vendor's website.

Sources

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-m93h-4hw7-5qcm

OS Command Injection in FileBrowser - #VU133481

Detailed vulnerability description

Remediation

Sources

Please verify you're human