Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials (username and password) are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote attacker can inject shell metacharacters in the username or password field at the login screen, causing the server to execute arbitrary OS commands before any authentication takes place. This is a critical pre-authentication RCE. This vulnerability is fixed in 2.63.6.
Published: 2026-06-25
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the Hook Authentication feature, which delegates login verification to an arbitrary shell command. The command string is built by expanding user‑supplied credentials without any sanitization, allowing an unauthenticated attacker to inject shell metacharacters into the username or password fields. The injected characters cause the server to execute arbitrary OS commands before authentication completes, resulting in remote code execution with the privileges of the web server process. This flaw is an instance of OS Command Injection and effectively bypasses all authentication controls.

Affected Systems

The product affected is File Browser by filebrowser. All releases prior to version 2.63.6 are vulnerable because they implement the insecure Hook Authentication logic. Versions 2.63.6 and later have the issue fixed.

Risk and Exploitability

The CVSS score of 9.3 classifies the flaw as critical. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of a patch does not reduce the potential for exploitation. An attacker can gain remote code execution by accessing the public login endpoint of a File Browser instance with Hook Authentication enabled, crafting a payload that contains shell metacharacters in the username or password field. No special credentials or network restrictions are required, making this an easily exploitable pre‑authentication vulnerability.

Generated by OpenCVE AI on June 25, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the File Browser installation to version 2.63.6 or later, where the Hook Authentication command is correctly sanitized.
  • If an immediate upgrade is not possible, disable the Hook Authentication feature or remove its configuration to prevent the execution of arbitrary shell commands.
  • Reconfigure any remaining authentication mechanisms to use built‑in or secure external methods, ensuring that no shell command receives unsanitized user input.

Generated by OpenCVE AI on June 25, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials (username and password) are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote attacker can inject shell metacharacters in the username or password field at the login screen, causing the server to execute arbitrary OS commands before any authentication takes place. This is a critical pre-authentication RCE. This vulnerability is fixed in 2.63.6.
Title File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)
Weaknesses CWE-306
CWE-78
CWE-88
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T18:36:52.953Z

Reserved: 2026-06-11T18:44:47.761Z

Link: CVE-2026-54088

cve-icon Vulnrichment

Updated: 2026-06-25T18:35:51.601Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:30:11Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE-88

    Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')