File Browser: Command Allowlist Bypass via Shell Metacharacter Injection

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell interpreter is configured (e.g. /bin/sh -c), the command allowlist can be bypassed through shell metacharacters. The allowlist validates only the first token of user input, but the entire raw string is handed to the shell — semicolons, pipes, backticks, and $() all work to chain arbitrary commands after a permitted one. This vulnerability is fixed in 2.33.8.

AI Analysis

Command allowlist bypass via shell metacharacter injection in File Browser

Basic Information

ID CVE-2026-54090

Source GitHub_M

Published Jun 25, 2026 at 17:51

Affected Product

Vendor filebrowser

Product filebrowser

Version < 2.33.8

Affected Versions filebrowser filebrowser < 2.33.8

CWE Classification

CWE-77 CWE-184

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor File Browser

Product File Browser

Version < 2.33.8

References

{
    "lastseen": "",
    "description": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell interpreter is configured (e.g. /bin/sh -c), the command allowlist can be bypassed through shell metacharacters. The allowlist validates only the first token of user input, but the entire raw string is handed to the shell \u2014 semicolons, pipes, backticks, and $() all work to chain arbitrary commands after a permitted one. This vulnerability is fixed in 2.33.8.",
    "published": "2026-06-25T17:51:17.656Z",
    "modified": "2026-06-25T17:51:17.656Z",
    "type": "cve",
    "title": "File Browser: Command Allowlist Bypass via Shell Metacharacter Injection",
    "source": "GitHub_M",
    "references": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-8c9q-7855-wfxq\nhttps://github.com/filebrowser/filebrowser/issues/5199",
    "id": "CVE-2026-54090",
    "bulletinFamily": "",
    "cwe": [
        "CWE-77",
        "CWE-184"
    ],
    "cvelist": null,
    "sourceData": "filebrowser filebrowser < 2.33.8",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "filebrowser",
    "version": "< 2.33.8",
    "vendor": "filebrowser",
    "ai_description": "Command allowlist bypass via shell metacharacter injection in File Browser",
    "ai_severity": "High",
    "ai_vendor": "File Browser",
    "ai_product": "File Browser",
    "ai_version": "< 2.33.8",
    "ai_score": 8.7
}

File Browser: Command Allowlist Bypass via Shell Metacharacter Injection_CVE-2026-54090