CVE-2026-54090
HighCVSS 8.7Exploitation Probability (EPSS)
Low risk24th percentile — higher than 24% of all known CVEs
Summary
File Browser before version 2.33.8 allows bypassing the command allowlist using shell metacharacters. The allowlist only validates the first token of user input, but the entire raw string is passed to the shell, allowing arbitrary commands to be executed after a permitted one.
Risk Assessment
An attacker can execute arbitrary system commands on the server, potentially leading to application compromise, data theft, or further attacks on the infrastructure.
Recommendation
Immediately update File Browser to version 2.33.8 or later, which contains a fix for this vulnerability.
Original NVD description (English source)
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell interpreter is configured (e.g. /bin/sh -c), the command allowlist can be bypassed through shell metacharacters. The allowlist validates only the first token of user input, but the entire raw string is handed to the shell — semicolons, pipes, backticks, and $() all work to chain arbitrary commands after a permitted one. This vulnerability is fixed in 2.33.8.

