CVE-2021-46398

HIGH LAB

FileBrowser < 2.18.0 - Cross-Site Request Forgery via Malicious HTML Webpage

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-46398. PoCs published by FEBIN MON SAJI, LalieA.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in FileBrowser <= 2.17.2, allowing an attacker to create an admin-privileged backdoor user via a malicious HTML page. The exploit leverages the lack of Content-Type validation and anti-CSRF tokens to send a crafted POST request to the /api/users endpoint, leading to RCE.

Description

A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. An admin can run commands using the FileBrowser and hence it leads to RCE.

Exploits (3)

exploitdb WORKING POC
by FEBIN MON SAJI · textwebappsmultiple
https://www.exploit-db.com/exploits/50717

This exploit demonstrates a CSRF vulnerability in FileBrowser <= 2.17.2, allowing an attacker to create an admin-privileged backdoor user via a malicious HTML page. The exploit leverages the lack of Content-Type validation and anti-CSRF tokens to send a crafted POST request to the /api/users endpoint, leading to RCE.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: FileBrowser <= 2.17.2
No auth needed
Prerequisites: Victim must visit the malicious HTML page while authenticated as an admin in FileBrowser
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by LalieA · poc
https://github.com/LalieA/CVE-2021-46398

This repository provides a detailed writeup and proof-of-concept for CVE-2021-46398, a CSRF to RCE vulnerability in FileBrowser <= 2.17.2. It includes a description of the flaw, a demonstration using Docker, and references to the fix.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FileBrowser <= 2.17.2
No auth needed
Prerequisites: Access to a vulnerable FileBrowser instance · Ability to trick an admin into visiting a malicious webpage
devstral-2 · analyzed Feb 16, 2026 Full analysis →
inthewild WRITEUP
poc
https://github.com/febinrev/cve-2021-46398_chamilo-lms-rce

The repository describes a zero-click RCE vulnerability in Chamilo LMS v1.11.14, where an attacker can execute arbitrary code by uploading a malicious plugin via the 'My Productions' or 'My Diplomas' features. The exploit leverages user interaction with the attacker's profile page to trigger the vulnerability.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Chamilo LMS v1.11.14
Auth required
Prerequisites: Attacker must have a student account · Admin must visit the attacker's profile page
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (6)

Core 6
Core References

Scores

CVSS v3 8.8
EPSS 0.1035
EPSS Percentile 93.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull filebrowser/filebrowser:v2.17.2

Details

CWE
CWE-352
Status published
Products (2)
filebrowser/filebrowser < 2.18.0
filebrowser/filebrowser 0 - 2.18.0Go
Published Feb 04, 2022
Tracked Since Feb 18, 2026