CVE-2019-9194

CRITICAL EXPLOITED IN THE WILD NUCLEI LAB

elFinder < 2.1.48 - OS Command Injection in PHP Connector

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-9194 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 6 public exploits from researchers including Metasploit, q3rv0, estebanzarate, including a Metasploit module exploits/unix/webapp/elfinder_php_connector_exiftran_cmd_injection. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in elFinder's PHP connector by uploading a malicious JPEG file with shell metacharacters in the filename, which is then processed by `exiftran` to execute arbitrary commands.

Description

elFinder before 2.1.48 has a command injection vulnerability in the PHP connector.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/46539

This Metasploit module exploits a command injection vulnerability in elFinder's PHP connector by uploading a malicious JPEG file with shell metacharacters in the filename, which is then processed by `exiftran` to execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: elFinder versions prior to 2.1.48
No auth needed
Prerequisites: elFinder PHP connector enabled · exiftran installed and in $PATH
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by q3rv0 · pythonwebappsphp
https://www.exploit-db.com/exploits/46481

This exploit targets a command injection vulnerability in elFinder's PHP connector by uploading a malicious image file with a payload that writes a PHP shell to the server. The exploit then triggers the payload via an image rotation command and provides interactive shell access.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: elFinder <= 2.1.47
No auth needed
Prerequisites: Target must have elFinder <= 2.1.47 installed · PHP connector must be accessible · File upload functionality must be enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by estebanzarate · poc
https://github.com/estebanzarate/CVE-2019-9194-elFinder-Command-Injection-PoC

This repository contains a functional Python exploit for CVE-2019-9194, which leverages a command injection vulnerability in elFinder's PHP connector. The exploit uploads a malicious JPEG file with a crafted filename to execute arbitrary commands, resulting in remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: elFinder <= 2.1.47
No auth needed
Prerequisites: Target must have exiftran installed · elFinder PHP connector enabled (connector.minimal.php)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec STUB
by cved-sources · poc
https://github.com/cved-sources/cve-2019-9194

This repository contains a minimal Docker setup for CVE-2019-9194 but lacks actual exploit code. The provided script only starts Apache and keeps the container running.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Apache HTTP Server (version not specified)
No auth needed
Prerequisites: Docker environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/estebanzarate/CVE-2019-9194-elFinder-Command-Injection-PoC-

This repository contains a functional Python exploit for CVE-2019-9194, which leverages a command injection vulnerability in elFinder's PHP connector. The exploit uploads a malicious JPEG file with a crafted filename to execute arbitrary commands, resulting in remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: elFinder <= 2.1.47
No auth needed
Prerequisites: exiftran installed on target · elFinder PHP connector enabled
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Thomas Chauchefoin, q3rv0, bcoles · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.rb

This Metasploit module exploits a command injection vulnerability in elFinder's PHP connector by uploading a malicious JPEG file with shell metacharacters in the filename, which is then processed by `exiftran` to execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: elFinder versions prior to 2.1.48
No auth needed
Prerequisites: exiftran installed and in $PATH · PHP connector enabled · unauthenticated access to the connector
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

elFinder <= 2.1.47 - Command Injection
CRITICALVERIFIEDby r00tuser111
Shodan: http.title:"elfinder"

References (5)

Core 5
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/Studio-42/elFinder/compare/6884c4f...0740028
Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/Studio-42/elFinder/releases/tag/2.1.48
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46539/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46481/
Product, Third Party Advisory x_refsource_confirm
https://github.com/Studio-42/elFinder/blob/master/README.md

Scores

CVSS v3 9.8
EPSS 0.9285
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull cved/base-lamp
+1 more repos

Details

VulnCheck KEV 2020-11-22
InTheWild.io 2019-11-01
CWE
CWE-78
Status published
Products (2)
std42/elfinder < 2.1.48
studio-42/elfinder 0 - 2.1.48Packagist
Published Feb 26, 2019
Tracked Since Feb 18, 2026