Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell interpreter is configured (e.g. /bin/sh -c), the command allowlist can be bypassed through shell metacharacters. The allowlist validates only the first token of user input, but the entire raw string is handed to the shell — semicolons, pipes, backticks, and $() all work to chain arbitrary commands after a permitted one. This vulnerability is fixed in 2.33.8.
Published: 2026-06-25
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

File Browser allows users to manage files through a web interface, and prior to version 2.33.8 an allowlist of permitted shell commands was enforced only on the first token of user‑supplied input. The remainder of the input was passed directly to the configured shell, enabling a command injection flaw identified as CWE‑184 and CWE‑77. By exploiting shell metacharacters such as semicolons, pipes, backticks, or $(), an attacker can append arbitrary commands to a permitted one and execute them under the privileges of the File Browser process. This results in remote code execution on the host controlling the web interface, potentially giving full system compromise.

Affected Systems

The vulnerability affects the File Browser application provided by the vendor filebrowser. Any deployment running File Browser version 2.33.7 or earlier, when a shell interpreter such as /bin/sh -c is configured, is susceptible. Versions 2.33.8 and newer contain the fix and are not affected.

Risk and Exploitability

The CVSS score of 8.7 rates this flaw as High severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack likely requires that the user submit input through the web interface and that the File Browser configuration allows shell execution. An attacker who can control the command string can bypass the allowlist and chain malicious commands, leading to full compromise of the underlying host.

Generated by OpenCVE AI on June 25, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade File Browser to version 2.33.8 or later.
  • If an upgrade is not immediately possible, disable the shell interpreter or restrict the command configuration so that no shell execution is allowed.
  • Apply input validation to reject any metacharacters or additionally sanitize command strings before invocation.

Generated by OpenCVE AI on June 25, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8c9q-7855-wfxq File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection
History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Filebrowser
Filebrowser filebrowser
Vendors & Products Filebrowser
Filebrowser filebrowser

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell interpreter is configured (e.g. /bin/sh -c), the command allowlist can be bypassed through shell metacharacters. The allowlist validates only the first token of user input, but the entire raw string is handed to the shell — semicolons, pipes, backticks, and $() all work to chain arbitrary commands after a permitted one. This vulnerability is fixed in 2.33.8.
Title File Browser: Command Allowlist Bypass via Shell Metacharacter Injection
Weaknesses CWE-184
CWE-77
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Filebrowser Filebrowser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T15:32:50.909Z

Reserved: 2026-06-11T18:44:47.761Z

Link: CVE-2026-54090

cve-icon Vulnrichment

Updated: 2026-06-26T15:27:15.246Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:00:12Z

Weaknesses
  • CWE-184

    Incomplete List of Disallowed Inputs

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')