CVE-2026-54090
Deferred Deferred - Pending Action
File Browser Command Injection via Shell Metacharacters

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell interpreter is configured (e.g. /bin/sh -c), the command allowlist can be bypassed through shell metacharacters. The allowlist validates only the first token of user input, but the entire raw string is handed to the shell β€” semicolons, pipes, backticks, and $() all work to chain arbitrary commands after a permitted one. This vulnerability is fixed in 2.33.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-54090
EUVD
EUVD-2026-39511
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
filebrowser filebrowser to 2.33.8 (exc)
filebrowser filebrowser 2.*
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The CVE-2026-54090 vulnerability allows arbitrary OS command execution at the server process privilege level, which can lead to unauthorized access and potential data breaches.

Such unauthorized command execution and potential data exposure can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and systems.

Because the vulnerability enables attackers to bypass command allowlists and execute arbitrary commands, it increases the risk of compromising confidentiality, integrity, and availability of data, all of which are critical compliance requirements.

The vulnerability has been mitigated by disabling the command execution feature by default since version 2.33.8, reducing the risk for compliant deployments if the updated version is used.

Executive Summary

CVE-2026-54090 is a vulnerability in FileBrowser that allows attackers to bypass a command allowlist by injecting shell metacharacters. When a shell interpreter like /bin/sh -c is configured, the allowlist only validates the first token of user input, but the entire raw command string is passed to the shell. This means attackers can chain arbitrary commands using characters such as semicolons, pipes, backticks, or $(), effectively executing multiple commands even if some are blocked individually.

Exploitation requires that command execution is enabled, a shell interpreter is configured, and the attacker has Execute permission with an allowlist entry. For example, an attacker could send a payload like "ls; id; whoami; cat /etc/passwd" to execute several commands in sequence. This vulnerability affects FileBrowser versions 2.x prior to 2.33.8 and has been fixed by disabling command execution by default starting with version 2.33.8.

Impact Analysis

This vulnerability can lead to arbitrary operating system command execution on the server running FileBrowser. Successful exploitation allows an attacker to run any commands with the privileges of the FileBrowser server process, which is typically root in the default container environment.

Such unauthorized command execution can lead to full system compromise, data theft, data destruction, unauthorized access to sensitive files, and potentially taking control over the entire server environment.

Detection Guidance

This vulnerability can be detected by attempting to exploit the command allowlist bypass through shell metacharacter injection if command execution is enabled and a shell interpreter is configured.

For example, sending a WebSocket request with a payload such as "ls; id; whoami; cat /etc/passwd" can reveal if multiple commands are executed despite restrictions on individual commands.

If such a payload executes multiple commands, it indicates the vulnerability is present.

Mitigation Strategies

The immediate mitigation step is to upgrade FileBrowser to version 2.33.8 or later, where this vulnerability is fixed and the command execution feature is disabled by default.

If command execution is still required, it should be disabled by default or carefully controlled using the `--disable-exec=false` flag or the environment variable `FB_DISABLE_EXEC=false`, but this is discouraged unless the security risks are fully understood.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54090. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart