CVE-2026-54090

UNKNOWN 0.0

File Browser: Command Allowlist Bypass via Shell Metacharacter Injection

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell interpreter is configured (e.g. /bin/sh -c), the command allowlist can be bypassed through shell metacharacters. The allowlist validates only the first token of user input, but the entire raw string is handed to the shell — semicolons, pipes, backticks, and $() all work to chain arbitrary commands after a permitted one. This vulnerability is fixed in 2.33.8.

CWE	CWE-77 CWE-184
Vendor	filebrowser
Product	filebrowser
Published	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for filebrowser filebrowser

Be the first to know when new unknown vulnerabilities affecting filebrowser filebrowser are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

filebrowser / filebrowser

< 2.33.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-8c9q-7855-wfxq github.com: https://github.com/filebrowser/filebrowser/issues/5199