435 matches found
GHSA-C3GJ-Q88F-7HQJ elFinder MySQL has a SQL Injection in its Volume Driver (elFinderVolumeMySQL)
Summary An authenticated SQL injection vulnerability in the elFinder MySQL volume driver elFinderVolumeMySQL allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized...
SQL Injection
Overview studio-42/elfinder is an open-source file manager for web, written in JavaScript using jQuery UI. Affected versions of this package are vulnerable to SQL Injection in the elFinderVolumeMySQL process when handling the target parameter. An attacker can access unauthorized data or cause...
elFinder MySQL has a SQL Injection in its Volume Driver (elFinderVolumeMySQL)
Summary An authenticated SQL injection vulnerability in the elFinder MySQL volume driver elFinderVolumeMySQL allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized...
PT-2026-39896
Name of the Vulnerable Software and Affected Versions elFinder versions prior to 2.1.68 Description An authenticated SQL injection exists in the MySQL volume driver elFinderVolumeMySQL. This issue allows any logged-in user, including those with read-only access, to inject SQL commands via a craft...
CVE-2026-41247
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...
CVE-2026-34415
Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authenticati...
CVE-2026-34414
Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value...
CVE-2026-34413
Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit or die, allowing PHP execution to continue and process the...
CVE-2026-41247
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...
CVE-2026-41247
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...
CVE-2026-41247 elFinder: Command injection in resize background color parameter when using ImageMagick CLI
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...
EUVD-2026-25281
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...
CVE-2026-41247 elFinder: Command injection in resize background color parameter when using ImageMagick CLI
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...
CVE-2026-41247
Vulnerability overview: elFinder
CVE-2026-41247 elFinder: Command injection in resize background color parameter when using ImageMagick CLI
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...
elFinder 操作系统命令注入漏洞
ElFinder is an open-source web file manager developed by Studio 42. Versions of ElFinder prior to 2.1.67 contained a vulnerability related to operating system command injection. This vulnerability stemmed from the bg parameter in the resize command being passed into the shell command string witho...
EUVD-2026-25068
Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value...
EUVD-2026-25069
Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authenticati...
EUVD-2026-25067
Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit or die, allowing PHP execution to continue and process the...
CVE-2026-34415
Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authenticati...