{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-54088: File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-54088","status":"final","version":"1","initial_release_date":"2026-06-25T17:49:14.017Z","current_release_date":"2026-06-25T18:36:52.953Z","revision_history":[{"date":"2026-06-25T17:49:14.017Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials (username and password) are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote attacker can inject shell metacharacters in the username or password field at the login screen, causing the server to execute arbitrary OS commands before any authentication takes place. This is a critical pre-authentication RCE. This vulnerability is fixed in 2.63.6.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-54088 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-54088"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-54088"},{"category":"external","summary":"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-m93h-4hw7-5qcm","url":"https://github.com/filebrowser/filebrowser/security/advisories/GHSA-m93h-4hw7-5qcm"}]},"product_tree":{"branches":[{"category":"vendor","name":"filebrowser","branches":[{"category":"product_name","name":"filebrowser","branches":[{"category":"product_version","name":"< 2.63.6","product":{"name":"filebrowser filebrowser < 2.63.6","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:filebrowser:filebrowser:\\<_2.63.6:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-54088","title":"File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)","notes":[{"category":"description","text":"File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials (username and password) are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote attacker can inject shell metacharacters in the username or password field at the login screen, causing the server to execute arbitrary OS commands before any authentication takes place. This is a critical pre-authentication RCE. This vulnerability is fixed in 2.63.6.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","baseScore":9.3,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1"]}]}]}