CVE-2026-60102
Severity CVSS v4.0:
HIGH
Type:
CWE-78
OS Command Injections
Publication date:
08/07/2026
Last modified:
08/07/2026
Description
Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver where the _escapeShellCommand() method fails to sanitize command substitution sequences, allowing authenticated attackers to inject arbitrary shell commands through user-controlled filenames. Attackers can supply malicious filenames containing unescaped command substitution payloads through operations such as file upload, folder creation, rename, or deletion, which are interpolated into a double-quoted shell context and executed via proc_open() through /bin/sh -c before smbclient runs, resulting in arbitrary command execution on the underlying system.
Impact
Base Score 4.0
7.70
Severity 4.0
HIGH
Base Score 3.x
8.80
Severity 3.x
HIGH



