Description
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background color) parameter is accepted from user input and passed through image resize/rotate processing. In configurations that use the ImageMagick CLI backend, this value is incorporated into shell command strings without sufficient escaping. An attacker able to invoke the resize command with a crafted bg value may achieve arbitrary command execution as the web server process user. This vulnerability is fixed in 2.1.67.
Published: 2026-04-23
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary command execution
Action: Patch
AI Analysis

Impact

A command injection flaw exists in elFinder's resize operation when the background color parameter is supplied during ImageMagick CLI processing. The bg value is directly concatenated into a shell command without proper escaping, per CWE-78. An attacker who can trigger the resize command with a crafted background color string can run arbitrary commands under the web server account, compromising the server's confidentiality, integrity, and availability.

Affected Systems

Studio‑42 elFinder versions prior to 2.1.67 are affected. The vulnerability applies to deployments that use the ImageMagick CLI backend for image manipulation, which is commonly enabled in many web‑hosted file managers.

Risk and Exploitability

With a CVSS score of 8.9 the flaw is high severity, but the EPSS score of less than 1 % indicates a low likelihood of exploitation at this time. The flaw is not listed in the CISA KEV catalog, suggesting no confirmed public exploits yet. The attack vector is remote through the web application; an attacker needs only the ability to invoke the resize command via HTTP. Once executed, commands run with the privileges of the web server process, offering full control on the affected host.

Generated by OpenCVE AI on April 28, 2026 at 14:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest elFinder release 2.1.67 or newer to eliminate the injection vector.
  • Disable the background color parameter for image resize or block the resize endpoint from unauthenticated users if patching cannot be performed immediately.
  • Configure ImageMagick to use security policies (such as safe mode or policy.xml whitelists) or switch to the PHP Imagick extension to avoid shell invocation.
  • Validate or sanitize the bg parameter on the server side, ensuring it matches a list of permissible color codes before incorporating it into any command.

Generated by OpenCVE AI on April 28, 2026 at 14:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8q4h-8crm-5cvc elFinder: Command injection in resize background color parameter when using ImageMagick CLI
History

Tue, 28 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Std42
Std42 elfinder
CPEs cpe:2.3:a:std42:elfinder:*:*:*:*:*:*:*:*
Vendors & Products Std42
Std42 elfinder
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 28 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Studio42
Studio42 elfinder
Vendors & Products Studio42
Studio42 elfinder

Sat, 25 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background color) parameter is accepted from user input and passed through image resize/rotate processing. In configurations that use the ImageMagick CLI backend, this value is incorporated into shell command strings without sufficient escaping. An attacker able to invoke the resize command with a crafted bg value may achieve arbitrary command execution as the web server process user. This vulnerability is fixed in 2.1.67.
Title elFinder: Command injection in resize background color parameter when using ImageMagick CLI
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Std42 Elfinder
Studio42 Elfinder
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-25T01:25:26.122Z

Reserved: 2026-04-18T03:47:03.135Z

Link: CVE-2026-41247

cve-icon Vulnrichment

Updated: 2026-04-25T01:25:21.738Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T19:17:29.850

Modified: 2026-04-28T18:57:54.110

Link: CVE-2026-41247

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses