CVE-2026-54088
CriticalCVSS 9.3Exploitation Probability (EPSS)
Low risk41th percentile — higher than 41% of all known CVEs
Summary
File Browser prior to version 2.63.6 had a vulnerability in the Hook Authentication feature that allowed delegating login verification to an external shell command. User-supplied credentials were interpolated into this command string without sanitization, enabling remote attackers to execute arbitrary OS commands before any authentication.
Risk Assessment
This vulnerability poses a significant risk to organizations as it allows unauthorized attackers to execute system commands prior to any identity verification, potentially leading to system takeover.
Recommendation
It is recommended to update File Browser to version 2.63.6 or later to mitigate this critical vulnerability. Additionally, consider implementing further security measures to protect against similar attacks.
Original NVD description (English source)
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials (username and password) are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote attacker can inject shell metacharacters in the username or password field at the login screen, causing the server to execute arbitrary OS commands before any authentication takes place. This is a critical pre-authentication RCE. This vulnerability is fixed in 2.63.6.

