CVE-2026-54088

Source
https://cve.org/CVERecord?id=CVE-2026-54088
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54088.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54088
Aliases
Published
2026-06-25T17:49:14.017Z
Modified
2026-07-08T08:13:43.747943637Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)
Details

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials (username and password) are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote attacker can inject shell metacharacters in the username or password field at the login screen, causing the server to execute arbitrary OS commands before any authentication takes place. This is a critical pre-authentication RCE. This vulnerability is fixed in 2.63.6.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54088.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-306",
        "CWE-78",
        "CWE-88"
    ]
}
References

Affected packages

Git / github.com/filebrowser/filebrowser

Affected ranges

Type
GIT
Repo
https://github.com/filebrowser/filebrowser
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.63.6"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.1
v1.0.2
v1.1.0
v1.1.1
v1.10.0
v1.11.0
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.3.0
v1.3.1
v1.3.10
v1.3.11
v1.3.12
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.4.0
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.6.0
v1.7.0
v1.7.1
v1.8.0
v1.9.0
v2.*
v2.0.0
v2.0.0-rc.1
v2.0.0-rc.2
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.1.2
v2.10.0
v2.11.0
v2.12.0
v2.12.1
v2.13.0
v2.14.0
v2.14.1
v2.15.0
v2.16.0
v2.16.1
v2.17.0
v2.17.1
v2.17.2
v2.18.0
v2.19.0
v2.2.0
v2.20.0
v2.20.1
v2.21.0
v2.21.1
v2.22.0
v2.22.1
v2.22.2
v2.22.3
v2.22.4
v2.23.0
v2.24.0
v2.24.1
v2.24.2
v2.25.0
v2.26.0
v2.27.0
v2.28.0
v2.29.0
v2.3.0
v2.30.0
v2.31.0
v2.31.1
v2.31.2
v2.32.0
v2.32.1
v2.32.2
v2.32.3
v2.33.0
v2.33.1
v2.33.10
v2.33.2
v2.33.3
v2.33.4
v2.33.5
v2.33.6
v2.33.7
v2.33.8
v2.33.9
v2.34.0
v2.34.1
v2.34.2
v2.35.0
v2.36.0
v2.36.1
v2.36.2
v2.36.3
v2.37.0
v2.38.0
v2.39.0
v2.4.0
v2.40.0
v2.40.1
v2.40.2
v2.41.0
v2.42.0
v2.42.1
v2.42.2
v2.42.3
v2.42.4
v2.42.5
v2.43.0
v2.44.0
v2.44.1
v2.44.2
v2.45.0
v2.45.1
v2.45.2
v2.45.3
v2.46.0
v2.46.1
v2.47.0
v2.48.0
v2.48.1
v2.48.2
v2.49.0
v2.5.0
v2.50.0
v2.51.0
v2.51.1
v2.51.2
v2.52.0
v2.53.0
v2.53.1
v2.54.0
v2.55.0
v2.56.0
v2.57.0
v2.57.1
v2.58.0
v2.59.0
v2.6.0
v2.6.1
v2.6.2
v2.60.0
v2.61.0
v2.61.1
v2.61.2
v2.62.0
v2.62.1
v2.62.2
v2.63.0
v2.63.1
v2.63.3
v2.63.4
v2.63.5
v2.7.0
v2.8.0
v2.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54088.json"