CVE 8.8 HIGH

elFinder: SQL Injection MySQL Volume Driver (elFinderVolumeMySQL)_CVE-2026-44521

May 27, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.68, an authenticated SQL injection vulnerability in the elFinder MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized data disclosure and denial of service. This vulnerability only affects installations configured to use the MySQL volume driver. This vulnerability is fixed in 2.1.68.

AI Analysis

Authenticated SQL injection vulnerability in elFinder MySQL volume driver

Basic Information

ID CVE-2026-44521

Source GitHub_M

Published May 27, 2026 at 17:16

Modified May 27, 2026 at 18:05

Affected Product

Vendor Studio-42

Product elFinder

Version < 2.1.68

Affected Versions Studio-42 elFinder < 2.1.68

CWE Classification

CWE-89

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Studio-42

Product elFinder

Version < 2.1.68

References

github.com /Studio-42/elFinder/security/advisories/GHSA-c3gj-q88f-7hqj

{
    "lastseen": "",
    "description": "elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.68, an authenticated SQL injection vulnerability in the elFinder MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized data disclosure and denial of service. This vulnerability only affects installations configured to use the MySQL volume driver. This vulnerability is fixed in 2.1.68.",
    "published": "2026-05-27T17:16:51.434Z",
    "modified": "2026-05-27T18:05:43.342Z",
    "type": "cve",
    "title": "elFinder: SQL Injection MySQL Volume Driver (elFinderVolumeMySQL)",
    "source": "GitHub_M",
    "references": "https://github.com/Studio-42/elFinder/security/advisories/GHSA-c3gj-q88f-7hqj",
    "id": "CVE-2026-44521",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "Studio-42 elFinder < 2.1.68",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "elFinder",
    "version": "< 2.1.68",
    "vendor": "Studio-42",
    "ai_description": "Authenticated SQL injection vulnerability in elFinder MySQL volume driver",
    "ai_severity": "High",
    "ai_vendor": "Studio-42",
    "ai_product": "elFinder",
    "ai_version": "< 2.1.68",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply