Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
Std42Elfinder

16 matches found

CVE
CVEadded 2019/02/26 7:0 p.m.403 views

CVE-2019-9194

The CVE-2019-9194 issue affects elFinder before 2.1.48 (PHP connector). The Nuclei/YAML entry and Exploit-DB records confirm a command injection in the PHP connector triggered during JPEG image operations, where the filename is passed to exiftran without proper sanitization, enabling remote comma...

9.8CVSS9.5AI score0.96633EPSS
Web
CVE
CVEadded 2021/06/14 4:45 p.m.291 views

CVE-2021-32682

elFinder 2.1.58 is affected by multiple remote code execution vulnerabilities that could allow an attacker to execute arbitrary code and commands on the server hosting the PHP connector, even with minimal configuration. The issues were patched in 2.1.59; a mitigation is to ensure the connector is...

9.8CVSS9.4AI score0.69934EPSS
Web
CVE
CVEadded 2022/04/07 4:18 p.m.168 views

CVE-2021-43421

Summary: CVE-2021-43421 affects Studio-42 elFinder versions 2.0.4 through 2.1.59, where an unauthenticated file upload via connector.minimal.php enables arbitrary file uploads and PHP code execution on the server. Details from connected docs: multiple sources describe unauthenticated arbitrary fi...

9.8CVSS9.5AI score0.42781EPSS
CVE
CVEadded 2022/03/21 4:52 p.m.122 views

CVE-2022-26960

CVE-2022-26960 affects elFinder

9.1CVSS9.1AI score0.50993EPSS
CVE
CVEadded 2021/06/13 11:5 a.m.112 views

CVE-2021-23394

The CVE-2021-23394 issue affects studio-42/elFinder prior to 2.1.58, where remote code execution is possible via PHP code execution in a .phar file if the server parses .phar as PHP. Root cause: unsafe handling of .phar uploads allowing arbitrary PHP execution. Impact: attacker can execute PHP on...

9.8CVSS9.2AI score0.19083EPSS
CVE
CVEadded 2024/10/31 12:0 a.m.94 views

CVE-2023-52044

Studio-42 eLfinder 2.1.62 is vulnerable to Remote Code Execution due to unrestricted upload of .php8 files. This affects elFinder’s file upload handling and can allow arbitrary code execution on the server. The Veracode/Snyk records corroborate RCE and cite upgrading to 2.1.63+ as the remediation...

9.8CVSS7.8AI score0.00768EPSS
CVE
CVEadded 2022/04/11 2:19 p.m.89 views

CVE-2022-27115

Studio-42 elFinder 2.1.60 is vulnerable to remote code execution via a filename-based bypass during file uploads. Root cause: filename bypass allows crafted uploads to execute on the server. Affected: elFinder 2.1.60 (Windows-specific advisory notes). Impact: remote code execution with high/criti...

9.8CVSS9.8AI score0.28909EPSS
CVE
CVEadded 2022/02/08 10:27 p.m.80 views

CVE-2021-45919

Studio 42 elFinder versions up to 2.1.31 are affected by a cross-site scripting (XSS) vulnerability involving SVG data handling. The vulnerability stems from insecure handling of SVG document data, enabling client-side code execution. Affected product is elFinder (Studio 42), with the issue docum...

5.4CVSS5.2AI score0.00616EPSS
CVE
CVEadded 2019/01/10 6:0 a.m.59 views

CVE-2019-5884

The CVE-2019-5884 entry concerns information disclosure in the elFinder project. It affects elFinder versions up to and including 2.1.44 (before 2.1.45), where PHP’s curl extension, combined with unsafe PHP configurations (safe_mode or open_basedir not set), can leak information. Root cause is ti...

5.9CVSS5.5AI score0.01275EPSS
CVE
CVEadded 2024/07/30 12:0 a.m.59 views

CVE-2024-38909

Studio 42 elFinder 2.1.64 is affected by an Incorrect Access Control vulnerability that lets an attacker copy files with unauthorized extensions between server directories, potentially exposing secrets and enabling remote code execution. Root cause: flawed access control allowing cross-directory ...

9.8CVSS6.7AI score0.0049EPSS
CVE
CVEadded 2023/06/19 12:0 a.m.57 views

CVE-2023-35840

CVE-2023-35840 affects elFinder before 2.1.62 due to a path traversal weakness in the PHP LocalVolumeDriver connector (joinPath in elFinderVolumeLocalFileSystem.class.php). The root cause is incomplete validation of the target parameter, allowing traversal beyond web root. OpenVAS details indicat...

6.5CVSS6.4AI score0.01936EPSS
CVE
CVEadded 2024/10/31 12:0 a.m.55 views

CVE-2023-52045

CVE-2023-52045 affects Studio-42 elFinder 2.1.62, where a filename restriction bypass leads to a persistent XSS vulnerability. Impact: stored XSS via crafted filenames; context is in elFinder file handling. Remediation: upgrade to elFinder 2.1.63 or higher (as reported by Snyk/Veracode/Red Hat re...

6.1CVSS6.2AI score0.00265EPSS
CVE
CVEadded 2019/01/14 7:0 a.m.53 views

CVE-2019-6257

The CVE-2019-6257 issue affects elFinder prior to version 2.1.46, caused by a vulnerability in get_remote_contents() within php/elFinder.class.php that permits server-side request forgery (SSRF) to access internal network resources. Public documents from NVD, Red Hat, OSV, and security advisories...

7.7CVSS7.3AI score0.01098EPSS
CVE
CVEadded 2018/03/28 2:0 p.m.48 views

CVE-2018-9110

Studio 42 elFinder is vulnerable before version 2.1.37 due to a directory traversal flaw in elFinder.class.php zipdl() that lets an attacker download files accessible to the web server and delete files owned by the server process. The issue stems from an incomplete fix for CVE-2018-9109. Public r...

9.1CVSS9.1AI score0.02899EPSS
CVE
CVEadded 2018/03/28 6:0 a.m.44 views

CVE-2018-9109

Studio 42 elFinder (PHP Web file manager) prior to version 2.1.36 is affected by a directory traversal vulnerability in elFinder.class.php, zipdl() function. The flaw allows a remote attacker to download files accessible by the web server process and to delete files owned by the account running t...

9.1CVSS8.9AI score0.02963EPSS
CVE
CVEadded 2026/04/23 6:47 p.m.7 views

CVE-2026-41247

Vulnerability overview: elFinder

9.8CVSS6.1AI score0.01567EPSS