{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/elfinder/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["elfinder (\u003c= 2.1.67)"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","elfinder"],"_cs_type":"advisory","_cs_vendors":["studio-42"],"content_html":"\u003cp\u003eThe elFinder file manager is vulnerable to SQL injection within its MySQL volume driver (\u003ccode\u003eelFinderVolumeMySQL\u003c/code\u003e). This flaw, identified as CVE-2026-44521, permits any authenticated user, even those with read-only privileges on the affected volume, to inject SQL commands by manipulating the \u003ccode\u003etarget\u003c/code\u003e parameter with a crafted file hash. This vulnerability specifically impacts elFinder installations configured to utilize the MySQL volume driver, while those employing the default \u003ccode\u003eLocalFileSystem\u003c/code\u003e driver remain unaffected. The vulnerability exists due to the system\u0026rsquo;s failure to validate decoded file hashes as valid MySQL object identifiers before their inclusion in queries.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to elFinder with a valid user account.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the elFinder instance is using the MySQL volume driver.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious \u003ccode\u003etarget\u003c/code\u003e parameter containing a SQL injection payload encoded as a file hash.\u003c/li\u003e\n\u003cli\u003eAttacker sends a request to elFinder with the crafted \u003ccode\u003etarget\u003c/code\u003e parameter, triggering one of the vulnerable functions: \u003ccode\u003ecacheDir()\u003c/code\u003e, \u003ccode\u003e_joinPath()\u003c/code\u003e, \u003ccode\u003e_stat()\u003c/code\u003e, or \u003ccode\u003e_fopen()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eelFinder decodes the file hash without proper validation.\u003c/li\u003e\n\u003cli\u003eThe decoded SQL injection payload is incorporated into a MySQL query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL command executes against the MySQL database, potentially extracting sensitive data or causing a denial of service.\u003c/li\u003e\n\u003cli\u003eAttacker retrieves the leaked data or observes the degraded performance due to the denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an authenticated user, even one with read-only access, to disclose data accessible to the configured MySQL account, including file contents stored by the driver and database metadata. It can also trigger denial of service through expensive or broad query results. The severity depends on the MySQL account privileges. Affected packages include \u003ccode\u003ecomposer/studio-42/elfinder\u003c/code\u003e versions 2.1.67 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ecomposer/studio-42/elfinder\u003c/code\u003e to a version later than 2.1.67 to patch CVE-2026-44521.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect elFinder SQL Injection Attempt via Target Parameter\u0026rdquo; to identify exploitation attempts by monitoring requests with potentially malicious file hashes in the \u003ccode\u003etarget\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eConsider using the default \u003ccode\u003eLocalFileSystem\u003c/code\u003e driver if the \u003ccode\u003eMySQL\u003c/code\u003e volume driver is not a requirement to mitigate CVE-2026-44521.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T16:13:41Z","date_published":"2026-05-11T16:13:41Z","id":"https://feed.craftedsignal.io/briefs/2026-05-elfinder-sqli/","summary":"An authenticated SQL injection vulnerability (CVE-2026-44521) exists in the elFinder MySQL volume driver (`elFinderVolumeMySQL`) allowing any logged-in user, including read-only users, to inject SQL through a crafted `target` file hash leading to unauthorized data disclosure and denial of service.","title":"elFinder MySQL Volume Driver SQL Injection (CVE-2026-44521)","url":"https://feed.craftedsignal.io/briefs/2026-05-elfinder-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Elfinder","version":"https://jsonfeed.org/version/1.1"}