CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-m93h-4hw7-5qcm: File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)

criticalCVE-2026-54088
Overview The Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials (username and password) are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote attacker can inject shell metacharacters in the username or password field at the login screen, causing the server to execute arbitrary OS commands before any authentication takes place. This is a critical pre-authentication RCE. Affected Location - File: auth/hook.go - Function: HookAuth.RunCommand CVSS v4.0 | Metric | Value | Rationale | |---|---|---| | Attack Vector (AV) | Network (N) | Exploitable via the login endpoint over HTTP from any network | | Attack Complexity (AC) | Low (L) | Single crafted HTTP request; no preparation needed | | Attack Requirements (AT) | None (N) | No race condition or special timing required | | Privileges Required (PR) | None (N) | No account required — pre-authentication attack | | User Interaction (UI) | None (N) | Fully automated; no victim action needed | | Vulnerable System Confidentiality (VC) | High (H) | Full read access to server filesystem and env | | Vulnerable System Integrity (VI) | High (H) | Arbitrary file write/modification | | Vulnerable System Availability (VA) | High (H) | Can kill processes, exhaust resources | | Subsequent System Confidentiality (SC) | None (N) | No direct impact on downstream systems assumed | | Subsequent System Integrity (SI) | None (N) | — | | Subsequent System Availability (SA) | None (N) | — | Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score: 9.3 (Critical) Note: PR:None is the critical differentiator from vulnerabilities 01 and 02. Because the injection point is the unauthenticated login endpoint, no account or session is required. A single HTTP request to the login API is sufficient to achieve RCE. CWE | ID | Name | Role | |---|---|---| | CWE-78 |

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
critical
Published
2026-07-10
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-m93h-4hw7-5qcm

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-54088coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories