CVE-2026-54090
Severity CVSS v4.0:
HIGH
Type:
CWE-77
Command Injection
Publication date:
25/06/2026
Last modified:
26/06/2026
Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell interpreter is configured (e.g. /bin/sh -c), the command allowlist can be bypassed through shell metacharacters. The allowlist validates only the first token of user input, but the entire raw string is handed to the shell — semicolons, pipes, backticks, and $() all work to chain arbitrary commands after a permitted one. This vulnerability is fixed in 2.33.8.
Impact
Base Score 4.0
8.70
Severity 4.0
HIGH



