Product
An authenticated SQL injection vulnerability (CVE-2026-44521) exists in the elFinder MySQL volume driver (`elFinderVolumeMySQL`) allowing any logged-in user, including read-only users, to inject SQL through a crafted `target` file hash leading to unauthorized data disclosure and denial of service.