Saku0512

**Name of the Vulnerable Software and Affected Versions** File Browser versions 2.0.0 through 2.33.8 **Description** The hook system in File Browser, which executes administrator-defined shell commands during file events such as upload, rename, and delete, is susceptible to OS command injection. The issue occurs in the `Runner.exec()` function within the `runner/runner.go` file, where variable substitution for values like `$FILE` and `$USERNAME` is performed using `os.Expand` without proper sanitization. An authenticated attacker with file write permissions can craft a malicious filename containing shell metacharacters. When the hook fires, the server executes these characters as arbitrary OS commands, leading to Remote Code Execution (RCE). This pattern is exploitable across various hook events, including `before upload`, `after upload`, `before rename`, `after rename`, `before delete`, and `after delete`. **Recommendations** Update to version 2.33.8 or later, as the hook feature is disabled by default from this version onwards. As a temporary workaround, disable the hook system or restrict the use of the `Runner.exec()` function until the software is updated.