CVE 8.9 HIGH

elFinder: Command injection in resize background color parameter when using ImageMagick CLI_CVE-2026-41247

April 23, 2026 invoker category_cve
8.9 / 10
HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Description

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background color) parameter is accepted from user input and passed through image resize/rotate processing. In configurations that use the ImageMagick CLI backend, this value is incorporated into shell command strings without sufficient escaping. An attacker able to invoke the resize command with a crafted bg value may achieve arbitrary command execution as the web server process user. This vulnerability is fixed in 2.1.67.

AI Analysis

Command injection vulnerability in the resize command of elFinder, allowing arbitrary command execution as the web server process user

Basic Information

ID CVE-2026-41247
Source GitHub_M
Published Apr 23, 2026 at 18:47

Affected Product

Vendor Studio-42
Product elFinder
Version < 2.1.67
Affected Versions Studio-42 elFinder < 2.1.67

CWE Classification

CWE-78

AI Assessment

AI Score 8.9 / 10
AI Severity High
Vendor Studio-42
Product elFinder
Version < 2.1.67

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.