<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>File Browser - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/file-browser/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 19:35:16 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/file-browser/feed.xml" rel="self" type="application/rss+xml"/><item><title>File Browser Pre-Authentication Command Injection via Authentication Hook (CVE-2026-54088)</title><link>https://feed.craftedsignal.io/briefs/2026-07-filebrowser-preauth-rce/</link><pubDate>Fri, 10 Jul 2026 19:35:16 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-filebrowser-preauth-rce/</guid><description>The Hook Authentication feature in File Browser (versions up to 2.63.5) is vulnerable to a pre-authentication command injection flaw (CVE-2026-54088), allowing an unauthenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into login fields during `os.Expand` operations, leading to critical Remote Code Execution (RCE) without valid credentials.</description><content:encoded><![CDATA[<p>The File Browser application, specifically versions up to and including 2.63.5, contains a critical pre-authentication remote code execution (RCE) vulnerability, identified as CVE-2026-54088. This flaw resides within its Hook Authentication feature, where the application delegates login verification to an external shell command. User-supplied credentials, particularly the username and password, are interpolated into this command string using <code>os.Expand</code> without proper sanitization. Consequently, an unauthenticated remote attacker can inject shell metacharacters into the login fields, such as the username or password. This manipulation causes the server to execute arbitrary operating system commands with the privileges of the File Browser process before any authentication can take place. The vulnerability allows for complete server compromise, making it a high-priority threat for organizations utilizing affected File Browser instances, especially those exposed to the internet.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An administrator configures File Browser's Hook Authentication feature, setting up an external shell command for login verification (e.g., <code>sh -c &quot;test $USERNAME = 'admin'&quot;</code>).</li>
<li>An unauthenticated attacker sends a crafted login request to the File Browser instance via HTTP (e.g., using <code>curl</code> or the web UI).</li>
<li>The attacker injects shell metacharacters (e.g., <code>; id #</code>) into the username field of the login request.</li>
<li>The File Browser application's <code>auth/hook.go</code> <code>HookAuth.RunCommand</code> function processes the login attempt.</li>
<li>Inside <code>RunCommand</code>, the <code>os.Expand</code> function performs a plain text substitution, embedding the attacker's malicious input directly into the configured shell command string.</li>
<li>The manipulated command, now containing the injected shell commands, is executed by the server (e.g., <code>sh -c &quot;test ; id # = 'admin'&quot;</code>).</li>
<li>The attacker's arbitrary command (e.g., <code>id</code>) is executed on the server with the privileges of the <code>filebrowser</code> process.</li>
<li>The attacker achieves pre-authentication remote code execution, enabling data exfiltration, persistent backdoor installation, or lateral movement.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>An unauthenticated remote attacker can achieve full control over the server hosting the File Browser instance. This pre-authentication RCE means compromise requires no prior foothold, no valid credentials, and a single crafted HTTP request. Successful exploitation leads to severe consequences, including complete server compromise, data exfiltration, installation of persistent backdoors, and potential lateral movement into internal networks. Any internet-facing File Browser deployment with Hook Authentication enabled is at critical risk of full system takeover.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-54088 immediately by upgrading File Browser to a version greater than 2.63.5.</li>
<li>If immediate patching is not possible, disable the Hook Authentication feature in File Browser.</li>
<li>Deploy the Sigma rule &quot;Detect CVE-2026-54088 Exploitation - File Browser Command Injection&quot; to your SIEM and monitor for <code>process_creation</code> events, specifically unusual child processes spawned by the <code>filebrowser</code> executable.</li>
<li>Enable <code>process_creation</code> logging for Linux systems to ensure visibility for the detection rule.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>command-injection</category><category>rce</category><category>web-application</category></item><item><title>File Browser Proxy Authentication Bypass Vulnerability (CVE-2026-35607)</title><link>https://feed.craftedsignal.io/briefs/2024-01-file-browser-auth-bypass/</link><pubDate>Mon, 08 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-file-browser-auth-bypass/</guid><description>File Browser versions before 2.63.1 improperly grant execution capabilities to new users created via proxy authentication, leading to privilege escalation.</description><content:encoded><![CDATA[<p>File Browser is a file management interface that allows users to upload, delete, preview, rename, and edit files. A vulnerability, identified as CVE-2026-35607, exists in versions prior to 2.63.1. This flaw stems from inconsistent application of a fix intended to restrict execution permissions for self-registered users. While the fix was correctly implemented for the signup handler (commit b6a4fb1), it was not applied to the proxy authentication handler. As a result, users automatically created upon their first successful proxy authentication login are inadvertently granted execution capabilities based on global defaults. This contradicts the intended security measure of preventing automatic accounts from inheriting execution rights. This vulnerability allows unauthorized users to execute commands, potentially leading to system compromise. The issue is resolved in File Browser version 2.63.1.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A user attempts to access the File Browser interface via proxy authentication.</li>
<li>The File Browser instance, running a version prior to 2.63.1, authenticates the user through the proxy.</li>
<li>If the user does not already exist, the application automatically creates a new user account.</li>
<li>Due to the missing fix in the proxy authentication handler, the newly created user account is granted execution permissions.</li>
<li>The attacker leverages the granted execution permissions to execute arbitrary commands on the server.</li>
<li>These commands could be used to read sensitive files, modify system configurations, or install malicious software.</li>
<li>The attacker uses the file management interface to upload a malicious script.</li>
<li>The attacker executes the malicious script, achieving arbitrary code execution on the server, potentially leading to data exfiltration or system takeover.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-35607 allows unauthenticated or newly authenticated users to gain unauthorized execution privileges within the File Browser application. This can lead to the execution of arbitrary commands, potentially compromising the server hosting the application. The CVSS v3.1 base score for this vulnerability is 8.1, indicating a high level of severity. Depending on the server configuration, this could result in data breaches, system downtime, or complete system takeover.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade File Browser to version 2.63.1 or later to remediate CVE-2026-35607.</li>
<li>Implement the Sigma rule &quot;Detect File Browser Unauthorized Command Execution&quot; to identify potential exploitation attempts by monitoring for suspicious process creation events initiated by the File Browser process.</li>
<li>Review and restrict the default execution permissions for File Browser to minimize the impact of potential exploits.</li>
<li>Monitor web server logs for unusual activity associated with File Browser, specifically HTTP requests related to file uploads and execution.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>file-browser</category><category>authentication-bypass</category><category>privilege-escalation</category><category>cve-2026-35607</category></item></channel></rss>