CVE-2026-54088
File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)
Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials (username and password) are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote attacker can inject shell metacharacters in the username or password field at the login screen, causing the server to execute arbitrary OS commands before any authentication takes place. This is a critical pre-authentication RCE. This vulnerability is fixed in 2.63.6.
INFO
Published Date :
June 25, 2026, 5:49 p.m.
Last Modified :
June 25, 2026, 5:49 p.m.
Remotely Exploit :
Yes !
Source :
GitHub_M
Affected Products
The following products are affected by CVE-2026-54088
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 4.0 | CRITICAL | [email protected] |
Solution
- Update File Browser to version 2.63.6 or later.
- Review and sanitize external command inputs.
- Disable Hook Authentication if not required.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-54088 vulnerability anywhere in the article.