CVE-2026-54088
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)
Vexday Risk Score
48Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 9.3EPSS 0.5%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
03 Jun 2026Public PoC
25 Jun 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials (username and password) are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote attacker can inject shell metacharacters in the username or password field at the login screen, causing the server to execute arbitrary OS commands before any authentication takes place. This is a critical pre-authentication RCE. This vulnerability is fixed in 2.63.6.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
filebrowser · filebrowserpublic PoCs found — 1
githubgithub.com/Saku0512/CVE-2026-54088-poc★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →