{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/file-browser--2.63.5/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-54088"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["File Browser (\u003c= 2.63.5)"],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","web-application"],"_cs_type":"advisory","_cs_vendors":["File Browser"],"content_html":"\u003cp\u003eThe File Browser application, specifically versions up to and including 2.63.5, contains a critical pre-authentication remote code execution (RCE) vulnerability, identified as CVE-2026-54088. This flaw resides within its Hook Authentication feature, where the application delegates login verification to an external shell command. User-supplied credentials, particularly the username and password, are interpolated into this command string using \u003ccode\u003eos.Expand\u003c/code\u003e without proper sanitization. Consequently, an unauthenticated remote attacker can inject shell metacharacters into the login fields, such as the username or password. This manipulation causes the server to execute arbitrary operating system commands with the privileges of the File Browser process before any authentication can take place. The vulnerability allows for complete server compromise, making it a high-priority threat for organizations utilizing affected File Browser instances, especially those exposed to the internet.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn administrator configures File Browser's Hook Authentication feature, setting up an external shell command for login verification (e.g., \u003ccode\u003esh -c \u0026quot;test $USERNAME = 'admin'\u0026quot;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted login request to the File Browser instance via HTTP (e.g., using \u003ccode\u003ecurl\u003c/code\u003e or the web UI).\u003c/li\u003e\n\u003cli\u003eThe attacker injects shell metacharacters (e.g., \u003ccode\u003e; id #\u003c/code\u003e) into the username field of the login request.\u003c/li\u003e\n\u003cli\u003eThe File Browser application's \u003ccode\u003eauth/hook.go\u003c/code\u003e \u003ccode\u003eHookAuth.RunCommand\u003c/code\u003e function processes the login attempt.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003eRunCommand\u003c/code\u003e, the \u003ccode\u003eos.Expand\u003c/code\u003e function performs a plain text substitution, embedding the attacker's malicious input directly into the configured shell command string.\u003c/li\u003e\n\u003cli\u003eThe manipulated command, now containing the injected shell commands, is executed by the server (e.g., \u003ccode\u003esh -c \u0026quot;test ; id # = 'admin'\u0026quot;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker's arbitrary command (e.g., \u003ccode\u003eid\u003c/code\u003e) is executed on the server with the privileges of the \u003ccode\u003efilebrowser\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves pre-authentication remote code execution, enabling data exfiltration, persistent backdoor installation, or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAn unauthenticated remote attacker can achieve full control over the server hosting the File Browser instance. This pre-authentication RCE means compromise requires no prior foothold, no valid credentials, and a single crafted HTTP request. Successful exploitation leads to severe consequences, including complete server compromise, data exfiltration, installation of persistent backdoors, and potential lateral movement into internal networks. Any internet-facing File Browser deployment with Hook Authentication enabled is at critical risk of full system takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-54088 immediately by upgrading File Browser to a version greater than 2.63.5.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not possible, disable the Hook Authentication feature in File Browser.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect CVE-2026-54088 Exploitation - File Browser Command Injection\u0026quot; to your SIEM and monitor for \u003ccode\u003eprocess_creation\u003c/code\u003e events, specifically unusual child processes spawned by the \u003ccode\u003efilebrowser\u003c/code\u003e executable.\u003c/li\u003e\n\u003cli\u003eEnable \u003ccode\u003eprocess_creation\u003c/code\u003e logging for Linux systems to ensure visibility for the detection rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T19:35:16Z","date_published":"2026-07-10T19:35:16Z","id":"https://feed.craftedsignal.io/briefs/2026-07-filebrowser-preauth-rce/","summary":"The Hook Authentication feature in File Browser (versions up to 2.63.5) is vulnerable to a pre-authentication command injection flaw (CVE-2026-54088), allowing an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into login fields during `os.Expand` operations, leading to critical Remote Code Execution (RCE) without valid credentials.","title":"File Browser Pre-Authentication Command Injection via Authentication Hook (CVE-2026-54088)","url":"https://feed.craftedsignal.io/briefs/2026-07-filebrowser-preauth-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - File Browser (\u003c= 2.63.5)","version":"https://jsonfeed.org/version/1.1"}