{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/horde/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-60102"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Horde Virtual File System (VFS) API \u003c 3.0.1"],"_cs_severities":["high"],"_cs_tags":["os-command-injection","rce","webserver","horde","cve"],"_cs_type":"advisory","_cs_vendors":["Horde"],"content_html":"\u003cp\u003eA critical OS command injection vulnerability, tracked as CVE-2026-60102, has been identified in the Horde Virtual File System (VFS) API, affecting versions prior to 3.0.1. This flaw resides within the Horde_Vfs_Smb driver's \u003ccode\u003e_escapeShellCommand()\u003c/code\u003e method, which fails to properly sanitize command substitution sequences. Authenticated attackers can exploit this by crafting malicious filenames containing unescaped shell commands and performing standard file operations such as upload, folder creation, rename, or deletion. These malicious filenames are then interpolated into a double-quoted shell context and executed via \u003ccode\u003eproc_open()\u003c/code\u003e through \u003ccode\u003e/bin/sh -c\u003c/code\u003e before the \u003ccode\u003esmbclient\u003c/code\u003e utility runs. Successful exploitation results in arbitrary command execution on the server hosting the Horde VFS, granting attackers significant control over the compromised system. This vulnerability poses a severe risk to organizations using affected Horde VFS installations, as it allows for unauthorized code execution and potential data compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An attacker gains authenticated access to a vulnerable Horde Virtual File System (VFS) API instance using legitimate or compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCraft Malicious Input\u003c/strong\u003e: The attacker prepares a filename that includes OS command substitution sequences (e.g., \u003ccode\u003e$(id)\u003c/code\u003e, \u003ccode\u003e| ls -la\u003c/code\u003e, \u003ccode\u003efile.php;rm -rf /\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTrigger File Operation\u003c/strong\u003e: The attacker initiates a file operation, such as uploading a file, creating a folder, renaming a file/folder, or deleting a file/folder, providing the malicious filename.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Code Execution\u003c/strong\u003e: The Horde_Vfs_Smb driver processes the request, and the \u003ccode\u003e_escapeShellCommand()\u003c/code\u003e method is called to sanitize the filename before passing it to an underlying system command.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFailed Sanitization\u003c/strong\u003e: Due to the vulnerability, \u003ccode\u003e_escapeShellCommand()\u003c/code\u003e fails to properly sanitize the command substitution sequences within the attacker-controlled filename.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Injection\u003c/strong\u003e: The unsanitized malicious filename is interpolated into a double-quoted shell context that is passed to \u003ccode\u003eproc_open()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Command Execution\u003c/strong\u003e: The \u003ccode\u003e/bin/sh -c\u003c/code\u003e command interpreter executes the injected arbitrary shell commands on the underlying system, leading to full compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-60102 allows authenticated attackers to achieve arbitrary command execution on the server hosting the Horde VFS API. This means attackers can execute any command with the privileges of the web server process, potentially leading to full system compromise, data exfiltration, installation of backdoors, defacement of web content, or further network lateral movement. For organizations relying on Horde VFS for document management or collaboration, this vulnerability can result in significant operational disruption, data breaches, and reputational damage. The NVD rates this with a CVSS v3.1 Base Score of 8.8, indicating high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch CVE-2026-60102 by upgrading Horde Virtual File System (VFS) API to version 3.0.1 or later on all affected systems.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect attempts to exploit CVE-2026-60102.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive web server access logging (e.g., Apache, Nginx) to capture \u003ccode\u003ecs-uri-query\u003c/code\u003e and \u003ccode\u003ecs-uri-stem\u003c/code\u003e details for all requests, which can be used by the detection rule.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eproc_open()\u003c/code\u003e calls for unusual shell command execution patterns if your endpoint detection and response (EDR) or system logging provides this visibility.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T17:20:42Z","date_published":"2026-07-08T17:20:42Z","id":"https://feed.craftedsignal.io/briefs/2026-07-horde-vfs-os-command-injection/","summary":"CVE-2026-60102 describes an OS command injection vulnerability in the Horde Virtual File System (VFS) API before version 3.0.1, specifically within the Horde_Vfs_Smb driver, which allows authenticated attackers to inject arbitrary shell commands via user-controlled filenames during file operations, leading to arbitrary command execution on the underlying system.","title":"CVE-2026-60102: Horde VFS OS Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-horde-vfs-os-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Horde","version":"https://jsonfeed.org/version/1.1"}