Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-54090

Gravedad CVSS v4.0:
ALTA
Tipo:
CWE-77 Neutralización incorrecta de elementos especiales usados en un comando (Inyección de comando)
Fecha de publicación:
25/06/2026
Última modificación:
26/06/2026

Descripción

*** Pendiente de traducción *** File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell interpreter is configured (e.g. /bin/sh -c), the command allowlist can be bypassed through shell metacharacters. The allowlist validates only the first token of user input, but the entire raw string is handed to the shell — semicolons, pipes, backticks, and $() all work to chain arbitrary commands after a permitted one. This vulnerability is fixed in 2.33.8.