{“lastseen”:””,”description”:”File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell interpreter is configured (e.g. \/bin\/sh -c), the command allowlist can be bypassed through shell metacharacters. The allowlist validates only the first token of user input, but the entire raw string is handed to the shell \u2014 semicolons, pipes, backticks, and $() all work to chain arbitrary commands after a permitted one. This vulnerability is fixed in 2.33.8.”,”published”:”2026-06-25T17:51:17.656Z”,”modified”:”2026-06-25T17:51:17.656Z”,”type”:”cve”,”title”:”File Browser: Command Allowlist Bypass via Shell Metacharacter Injection”,”source”:”GitHub_M”,”references”:”https:\/\/github.com\/filebrowser\/filebrowser\/security\/advisories\/GHSA-8c9q-7855-wfxq\\nhttps:\/\/github.com\/filebrowser\/filebrowser\/issues\/5199″,”id”:”CVE-2026-54090″,”bulletinFamily”:””,”cwe”:[“CWE-77″,”CWE-184″],”cvelist”:null,”sourceData”:”filebrowser filebrowser \\u003c 2.33.8″,”sourceHref”:””,”cvss”:{“score”:8.7,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:L\/UI:N\/VC:H\/VI:H\/VA:H\/SC:N\/SI:N\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”filebrowser”,”version”:”\\u003c 2.33.8″,”vendor”:”filebrowser”,”ai_description”:”Command allowlist bypass via shell metacharacter injection in File Browser”,”ai_severity”:”High”,”ai_vendor”:”File Browser”,”ai_product”:”File Browser”,”ai_version”:”\\u003c 2.33.8″,”ai_score”:8.7}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,19,12,15,13,7,11,5],"class_list":["post-65821","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-87","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n