Every CVE whose affected-product data names Std42 Elfinder, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (16)
CVE-2021-43421 — CVSS 9.8 (critical): A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to…
CVE-2022-27115 — CVSS 9.8 (critical): In Studio-42 elFinder 2.1.60, there is a vulnerability that causes remote code execution through file name bypass for file upload.
CVE-2026-41247 — CVSS 9.8 (critical): elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command…
CVE-2024-38909 — CVSS 9.8 (critical): Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server…
CVE-2023-52044 — CVSS 9.8 (critical): Studio-42 eLfinder 2.1.62 is vulnerable to Remote Code Execution (RCE) as there is no restriction for uploading files with the .php8…
CVE-2021-32682 — CVSS 9.8 (critical): elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58…
CVE-2018-9109 — CVSS 9.1 (critical): Studio 42 elFinder before 2.1.36 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a…
CVE-2018-9110 — CVSS 9.1 (critical): Studio 42 elFinder before 2.1.37 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a…
CVE-2022-26960 — CVSS 9.1 (critical): connector.minimal.php in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read…
CVE-2021-23394 — CVSS 8.1 (high): The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE…
CVE-2019-6257 — CVSS 7.7 (high): A Server Side Request Forgery (SSRF) vulnerability in elFinder before 2.1.46 could allow a malicious user to access the content of internal…
CVE-2023-35840 — CVSS 6.5 (medium): _joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder before 2.1.62 allows path traversal in the PHP LocalVolumeDriver connector.
CVE-2023-52045 — CVSS 6.1 (medium): Studio-42 eLfinder 2.1.62 contains a filename restriction bypass leading to a persistent Cross-site Scripting (XSS) vulnerability.
CVE-2019-5884 — CVSS 5.9 (medium): php/elFinder.class.php in elFinder before 2.1.45 leaks information if PHP's curl extension is enabled and safe_mode or open_basedir is not…