Description
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.68, an authenticated SQL injection vulnerability in the elFinder MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized data disclosure and denial of service. This vulnerability only affects installations configured to use the MySQL volume driver. This vulnerability is fixed in 2.1.68.
Published: 2026-05-27
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerable elFinder MySQL volume driver allows any logged‑in user, even those with read‑only permissions, to inject arbitrary SQL through a crafted target file hash. This flaw is a classic SQL injection (CWE‑89) that can expose sensitive data and cause application downtime.

Affected Systems

Studio‑42 elFinder versions earlier than 2.1.68 that use the MySQL volume driver are affected. The issue is limited to installations configured to employ the elFinderVolumeMySQL driver.

Risk and Exploitability

The CVSS score of 8.8 indicates a high‑severity flaw. Although the EPSS score is not available, the vulnerability requires only an authenticated session and is usable against any MySQL volume configuration. It is not yet listed in CISA's KEV catalog, but its high severity and ease of exploitation warrant prompt remediation.

Generated by OpenCVE AI on May 27, 2026 at 19:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update elFinder to version 2.1.68 or later, which contains the fix for the SQL injection issue.
  • If an immediate upgrade is not feasible, enforce stricter user roles so that only trusted users can interact with the MySQL volume driver or deny read‑only users access to that volume.
  • Where possible, disable or remove the MySQL volume driver from the installation if it is not required for the application’s functionality.

Generated by OpenCVE AI on May 27, 2026 at 19:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c3gj-q88f-7hqj elFinder MySQL has a SQL Injection in its Volume Driver (elFinderVolumeMySQL)
History

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.68, an authenticated SQL injection vulnerability in the elFinder MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized data disclosure and denial of service. This vulnerability only affects installations configured to use the MySQL volume driver. This vulnerability is fixed in 2.1.68.
Title elFinder: SQL Injection MySQL Volume Driver (elFinderVolumeMySQL)
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T18:05:43.342Z

Reserved: 2026-05-06T19:38:10.566Z

Link: CVE-2026-44521

cve-icon Vulnrichment

Updated: 2026-05-27T18:05:39.516Z

cve-icon NVD

Status : Received

Published: 2026-05-27T18:16:23.953

Modified: 2026-05-27T18:16:23.953

Link: CVE-2026-44521

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:30:35Z

Weaknesses