CVE-2026-54088

File Browser (web UI) before version 2.63.6 is affected by a pre-authentication RCE. The Hook Authentication feature interpolates user-supplied credentials into a shell command using os.Expand without sanitization, enabling unauthenticated remote attackers to inject shell metacharacters in the lo...