CVE-2026-54088

CVE-2026-54088 is a critical-severity vulnerability with a CVSS 4.0 base score of 9.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-78.

Key facts

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials (username and password) are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote attacker can inject shell metacharacters in the username or password field at the login screen, causing the server to execute arbitrary OS commands before any authentication takes place. This is a critical pre-authentication RCE. This vulnerability is fixed in 2.63.6.

Frequently asked questions

What is CVE-2026-54088?
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials (username and password) are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote attacker can inject shell metacharacters in the username or password field at the login screen, causing the server to execute arbitrary OS commands before any authentication takes place. This is a critical pre-authentication RCE. This vulnerability is fixed in 2.63.6.
How severe is CVE-2026-54088?
CVE-2026-54088 has a CVSS 4.0 base score of 9.3, rated critical severity.
Is CVE-2026-54088 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (41st percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2026-54088?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
Does CVE-2026-54088 have an EU (EUVD) identifier?
Yes. CVE-2026-54088 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-39510.
When was CVE-2026-54088 published?
CVE-2026-54088 was published on 2026-06-25.

References

Other CWE-78 (OS Command Injection) vulnerabilities

Browse all CWE-78 (OS Command Injection) vulnerabilities →