Vulnerability Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials (username and password) are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote attacker can inject shell metacharacters in the username or password field at the login screen, causing the server to execute arbitrary OS commands before any authentication takes place. This is a critical pre-authentication RCE. This vulnerability is fixed in 2.63.6.
Related Weaknesses (CWE)
References
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-m93h-4hw7-5q
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-m93h-4hw7-5q
FAQ
What is CVE-2026-54088?
CVE-2026-54088 is a documented vulnerability. File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browse...
How severe is CVE-2026-54088?
CVSS scoring is not yet available for CVE-2026-54088. Check NVD for updates.
Is there a patch for CVE-2026-54088?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.