Product
The Hook Authentication feature in File Browser (versions up to 2.63.5) is vulnerable to a pre-authentication command injection flaw (CVE-2026-54088), allowing an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into login fields during `os.Expand` operations, leading to critical Remote Code Execution (RCE) without valid credentials.