{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-54090", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-06-11T18:44:47.761Z", "datePublished": "2026-06-25T17:51:17.656Z", "dateUpdated": "2026-06-26T15:32:50.909Z"}, "containers": {"cna": {"title": "File Browser: Command Allowlist Bypass via Shell Metacharacter Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "lang": "en", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-184", "lang": "en", "description": "CWE-184: Incomplete List of Disallowed Inputs", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-8c9q-7855-wfxq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-8c9q-7855-wfxq"}, {"name": "https://github.com/filebrowser/filebrowser/issues/5199", "tags": ["x_refsource_MISC"], "url": "https://github.com/filebrowser/filebrowser/issues/5199"}], "affected": [{"vendor": "filebrowser", "product": "filebrowser", "versions": [{"version": "< 2.33.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-25T17:51:17.656Z"}, "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell interpreter is configured (e.g. /bin/sh -c), the command allowlist can be bypassed through shell metacharacters. The allowlist validates only the first token of user input, but the entire raw string is handed to the shell \u2014 semicolons, pipes, backticks, and $() all work to chain arbitrary commands after a permitted one. This vulnerability is fixed in 2.33.8."}], "source": {"advisory": "GHSA-8c9q-7855-wfxq", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-8c9q-7855-wfxq", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-26T15:28:16.070106Z", "id": "CVE-2026-54090", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T15:32:50.909Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-54090", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-26T15:28:16.070106Z"}}}], "references": [{"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-8c9q-7855-wfxq", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T15:27:15.246Z"}}], "cna": {"title": "File Browser: Command Allowlist Bypass via Shell Metacharacter Injection", "source": {"advisory": "GHSA-8c9q-7855-wfxq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "filebrowser", "product": "filebrowser", "versions": [{"status": "affected", "version": "< 2.33.8"}]}], "references": [{"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-8c9q-7855-wfxq", "name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-8c9q-7855-wfxq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/filebrowser/filebrowser/issues/5199", "name": "https://github.com/filebrowser/filebrowser/issues/5199", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell interpreter is configured (e.g. /bin/sh -c), the command allowlist can be bypassed through shell metacharacters. The allowlist validates only the first token of user input, but the entire raw string is handed to the shell \u2014 semicolons, pipes, backticks, and $() all work to chain arbitrary commands after a permitted one. This vulnerability is fixed in 2.33.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-184", "description": "CWE-184: Incomplete List of Disallowed Inputs"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-25T17:51:17.656Z"}}}, "cveMetadata": {"cveId": "CVE-2026-54090", "state": "PUBLISHED", "dateUpdated": "2026-06-26T15:32:50.909Z", "dateReserved": "2026-06-11T18:44:47.761Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-25T17:51:17.656Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.33.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "filebrowser", "source": "cna", "vendor": "filebrowser"}, "product": "filebrowser", "vendor": "filebrowser"}], "created": "2026-06-25T19:30:15.940677+00:00", "updated": "2026-06-25T22:00:12.689956+00:00", "vendors": ["filebrowser", "filebrowser$PRODUCT$filebrowser"]}