Lucene search
K

435 matches found

OSV
OSV
added 2026/05/11 4:11 p.m.5 views

GHSA-C3GJ-Q88F-7HQJ elFinder MySQL has a SQL Injection in its Volume Driver (elFinderVolumeMySQL)

Summary An authenticated SQL injection vulnerability in the elFinder MySQL volume driver elFinderVolumeMySQL allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized...

8.8CVSS5.8AI score0.00243EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/11 4:11 p.m.7 views

SQL Injection

Overview studio-42/elfinder is an open-source file manager for web, written in JavaScript using jQuery UI. Affected versions of this package are vulnerable to SQL Injection in the elFinderVolumeMySQL process when handling the target parameter. An attacker can access unauthorized data or cause...

8.8CVSS5.9AI score0.00243EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/11 4:11 p.m.20 views

elFinder MySQL has a SQL Injection in its Volume Driver (elFinderVolumeMySQL)

Summary An authenticated SQL injection vulnerability in the elFinder MySQL volume driver elFinderVolumeMySQL allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized...

8.8CVSS5.8AI score0.00243EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.13 views

PT-2026-39896

Name of the Vulnerable Software and Affected Versions elFinder versions prior to 2.1.68 Description An authenticated SQL injection exists in the MySQL volume driver elFinderVolumeMySQL. This issue allows any logged-in user, including those with read-only access, to inject SQL commands via a craft...

8.8CVSS5.8AI score0.00243EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/04/25 7:22 a.m.9 views

CVE-2026-41247

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...

9.8CVSS5.9AI score0.01567EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/25 1:22 a.m.15 views

CVE-2026-34415

Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authenticati...

9.8CVSS5.8AI score0.03575EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2026/04/25 1:22 a.m.12 views

CVE-2026-34414

Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value...

7.1CVSS6.4AI score0.02826EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2026/04/23 7:58 p.m.10 views

CVE-2026-34413

Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit or die, allowing PHP execution to continue and process the...

8.8CVSS6.6AI score0.02804EPSS
Exploits2References1
NVD
NVD
added 2026/04/23 7:17 p.m.37 views

CVE-2026-41247

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...

9.8CVSS0.01567EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/23 6:47 p.m.4 views

CVE-2026-41247

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...

9.3CVSS6.1AI score0.01567EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/04/23 6:47 p.m.43 views

CVE-2026-41247 elFinder: Command injection in resize background color parameter when using ImageMagick CLI

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...

9.3CVSS0.01567EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/23 6:47 p.m.7 views

EUVD-2026-25281

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...

9.3CVSS6.1AI score0.01567EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/23 6:47 p.m.2 views

CVE-2026-41247 elFinder: Command injection in resize background color parameter when using ImageMagick CLI

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...

9.3CVSS5.9AI score0.01567EPSS
Exploits0References1
CVE
CVE
added 2026/04/23 6:47 p.m.12 views

CVE-2026-41247

Vulnerability overview: elFinder

9.8CVSS6.1AI score0.01567EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/04/23 6:47 p.m.2 views

CVE-2026-41247 elFinder: Command injection in resize background color parameter when using ImageMagick CLI

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...

9.3CVSS6.2AI score0.01567EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/23 12:0 a.m.10 views

elFinder 操作系统命令注入漏洞

ElFinder is an open-source web file manager developed by Studio 42. Versions of ElFinder prior to 2.1.67 contained a vulnerability related to operating system command injection. This vulnerability stemmed from the bg parameter in the resize command being passed into the shell command string witho...

9.8CVSS5.9AI score0.01567EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/22 9:32 p.m.9 views

EUVD-2026-25068

Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value...

7.1CVSS6.3AI score0.02826EPSS
Exploits2References8
EUVD
EUVD
added 2026/04/22 9:32 p.m.6 views

EUVD-2026-25069

Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authenticati...

9.8CVSS6AI score0.03575EPSS
Exploits2References8
EUVD
EUVD
added 2026/04/22 9:32 p.m.13 views

EUVD-2026-25067

Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit or die, allowing PHP execution to continue and process the...

8.8CVSS6.6AI score0.02804EPSS
Exploits2References8
NVD
NVD
added 2026/04/22 7:17 p.m.7 views

CVE-2026-34415

Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authenticati...

9.8CVSS0.03575EPSS
Exploits2References8
Rows per page
Query Builder