DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-54088: CVE-2026-54088: Pre-Authentication Remote Code Execution in File Browser Hook Authentication

CVE-2026-54088: Pre-Authentication Remote Code Execution in File Browser Hook Authentication

Vulnerability ID: CVE-2026-54088
CVSS Score: 9.3
Published: 2026-07-10

CVE-2026-54088 is a critical command injection vulnerability in File Browser prior to version 2.63.6. When Hook Authentication is enabled, the application interpolates unsanitized credentials into a shell command, allowing unauthenticated remote code execution.

TL;DR

Unauthenticated remote command execution vulnerability in File Browser's Hook Authentication feature via unsanitized username/password inputs.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-78
  • Attack Vector: Network (AV:N)
  • CVSS Score: 9.3 (Critical)
  • EPSS Score: 0.00533 (Percentile: 41.19%)
  • Impact: Pre-Authentication Remote Code Execution
  • Exploit Status: Public Proof-of-Concept Available
  • CISA KEV Status: Not Listed

Affected Systems

  • File Browser (all deployments using Hook Authentication prior to 2.63.6)
  • filebrowser: < 2.63.6 (Fixed in: 2.63.6)

Code Analysis

Commit: 34ae34e

Fix command injection in Hook Authentication by removing os.Expand

Exploit Details

  • GitHub: Proof of Concept exploit for CVE-2026-54088

Mitigation Strategies

  • Upgrade File Browser to version 2.63.6 or later.
  • Disable Hook Authentication and fall back to local database authentication.
  • Deploy Web Application Firewall (WAF) rules to inspect login payloads.

Remediation Steps:

  1. Identify running File Browser instances and check current versions.
  2. Pull and deploy the patched version (v2.63.6 or higher).
  3. If immediate patching is impossible, disable the Hook Auth feature via configuration.
  4. Verify the vulnerability is resolved by testing with safe canary injection attempts.

References


Read the full report for CVE-2026-54088 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)