CVE-2026-60102
Received Received - Intake

Horde VFS API OS Command Injection via SMB Driver

Vulnerability report for CVE-2026-60102, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver where the _escapeShellCommand() method fails to sanitize command substitution sequences, allowing authenticated attackers to inject arbitrary shell commands through user-controlled filenames. Attackers can supply malicious filenames containing unescaped command substitution payloads through operations such as file upload, folder creation, rename, or deletion, which are interpolated into a double-quoted shell context and executed via proc_open() through /bin/sh -c before smbclient runs, resulting in arbitrary command execution on the underlying system.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
horde vfs 3.0.1
horde horde_virtual_file_system to 3.0.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-60102 is an OS command injection vulnerability in the Horde Virtual File System (VFS) API versions before 3.0.1, specifically in the Horde_Vfs_Smb driver. The vulnerability arises because the _escapeShellCommand() method fails to properly sanitize command substitution sequences in user-controlled filenames. This allows authenticated attackers to inject arbitrary shell commands by supplying malicious filenames containing unescaped command substitution payloads during file operations such as upload, folder creation, rename, or deletion.

These malicious payloads are interpolated into a double-quoted shell context and executed via proc_open() through /bin/sh -c before the smbclient command runs, resulting in arbitrary command execution on the underlying system.

Impact Analysis

This vulnerability can have serious impacts because it allows an authenticated attacker to execute arbitrary shell commands on the underlying system where the Horde VFS API is running. This could lead to unauthorized access, data manipulation, system compromise, or further exploitation of the affected environment.

Since the attacker can inject commands through common file operations, they could potentially escalate privileges, disrupt services, or exfiltrate sensitive information.

Detection Guidance

This vulnerability involves command injection through user-controlled filenames in the Horde_Vfs_Smb driver. Detection would involve monitoring for suspicious filenames containing command substitution sequences such as $(), backticks, or newlines used in file operations like upload, rename, or deletion.

Since the vulnerability exploits shell command injection via filenames, you can detect attempts by searching logs or SMB operations for filenames containing suspicious shell metacharacters or command substitution patterns.

  • Use grep or similar tools to search for suspicious filenames in logs or file system metadata, e.g., grep -E '\$\(|`|\n' /path/to/logs or SMB file listings.
  • Monitor SMB client commands or system logs for unexpected shell command executions or errors related to smbclient.

No specific detection commands are provided in the resources, but focusing on identifying filenames with unescaped shell command substitution sequences in file operations is recommended.

Mitigation Strategies

The primary mitigation is to upgrade the Horde Virtual File System (VFS) API to version 3.0.1 or later, where the vulnerability has been fixed.

The fix removes shell-based command execution and replaces it with direct calls to proc_open() without shell interpretation, and properly escapes filenames to prevent command injection.

  • Update Horde VFS to version 3.0.1 or newer.
  • Avoid using vulnerable versions of the Horde_Vfs_Smb driver that do not properly sanitize filenames.
  • If immediate upgrade is not possible, restrict authenticated users' ability to upload or rename files with suspicious characters that could be used for command injection.
Compliance Impact

The vulnerability allows authenticated attackers to execute arbitrary shell commands on the underlying system by injecting malicious filenames. This can lead to unauthorized access, data manipulation, or system compromise.

Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

Specifically, exploitation of this vulnerability could result in confidentiality, integrity, and availability violations of protected data, thereby risking non-compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-60102. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart