๐Ÿ” CVE Alert

CVE-2026-60102

HIGH 8.8

Horde VFS < 3.0.1 OS Command Injection via Horde_Vfs_Smb Driver

CVSS Score
8.8
EPSS Score
1.8%
EPSS Percentile
76th

Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver where the _escapeShellCommand() method fails to sanitize command substitution sequences, allowing authenticated attackers to inject arbitrary shell commands through user-controlled filenames. Attackers can supply malicious filenames containing unescaped command substitution payloads through operations such as file upload, folder creation, rename, or deletion, which are interpolated into a double-quoted shell context and executed via proc_open() through /bin/sh -c before smbclient runs, resulting in arbitrary command execution on the underlying system.

CWE CWE-78
Vendor horde
Product vfs
Published Jul 8, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for horde vfs

Be the first to know when new high vulnerabilities affecting horde vfs are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

horde / Vfs
0 < 3.0.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/horde/Vfs/releases/tag/v3.0.1 github.com: https://github.com/horde/Vfs/pull/10 github.com: https://github.com/horde/Vfs/commit/41f74b4acfc144e09013d04dd121e0a5da808361 vulncheck.com: https://www.vulncheck.com/advisories/horde-vfs-os-command-injection-via-horde-vfs-smb-driver

Credits

Hacker Fantastic