CVE-2026-35585

HIGH LAB

File Browser 2.0.0-2.63.1 Hook Runner - Command Injection

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-35585. PoCs published by adminlove520, Saku0512.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-35585, an OS command injection vulnerability in File Browser versions 2.0.0 to 2.33.1. The exploit leverages insufficient sanitization of environment variables in custom command hooks to achieve remote code execution via crafted filenames.

Description

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 until 2.33.8, the hook system in File Browser — which executes administrator-defined shell commands on file events such as upload, rename, and delete — is vulnerable to OS command injection. Variable substitution for values like $FILE and $USERNAME is performed via os.Expand without sanitization. An attacker with file write permission can craft a malicious filename containing shell metacharacters, causing the server to execute arbitrary OS commands when the hook fires. This results in Remote Code Execution (RCE). This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations.

Exploits (2)

github WORKING POC 4 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-35585

This repository contains a functional exploit for CVE-2026-35585, an OS command injection vulnerability in File Browser versions 2.0.0 to 2.33.1. The exploit leverages insufficient sanitization of environment variables in custom command hooks to achieve remote code execution via crafted filenames.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: File Browser v2.0.0 to v2.33.1
Auth required
Prerequisites: authenticated user with file upload privileges · custom command hooks configured in File Browser
devstral-2 · analyzed May 07, 2026 Full analysis →
nomisec WORKING POC
by Saku0512 · poc
https://github.com/Saku0512/CVE-2026-35585-poc

This repository contains a functional exploit for CVE-2026-35585, an OS command injection vulnerability in File Browser versions 2.0.0 to 2.33.1. The exploit leverages insufficient sanitization of environment variables in custom command hooks to achieve remote code execution via crafted filenames.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: File Browser v2.0.0 to v2.33.1
Auth required
Prerequisites: authenticated user with file upload privileges · custom command hooks enabled
devstral-2 · analyzed Apr 15, 2026 Full analysis →

References (2)

Core 2
Core References
X_Refsource_Misc x_refsource_misc
https://github.com/filebrowser/filebrowser/issues/5199

Scores

CVSS v3 7.2
EPSS 0.0040
EPSS Percentile 61.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull filebrowser/filebrowser:v2.33.1

Details

CWE
CWE-78 CWE-88
Status published
Products (4)
filebrowser/filebrowser 0 - 2.33.8Go
filebrowser/filebrowser 2.0.0 - 2.63.1
filebrowser/filebrowser >= 2.0.0-rc.1, < 2.33.8
filebrowser/filebrowser >= 2.0.0-rc.1, <= 2.63.1
Published Apr 07, 2026
Tracked Since Apr 07, 2026