PT-2026-39896 · Studio 42+2 · Elfinder+1
Elulq
·
Published
2026-05-11
·
Updated
2026-05-27
·
CVE-2026-44521
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
elFinder versions prior to 2.1.68
Description
An authenticated SQL injection exists in the MySQL volume driver (
elFinderVolumeMySQL). This issue allows any logged-in user, including those with read-only access, to inject SQL commands via a crafted file hash passed through the target parameter. The flaw occurs because file hashes are decoded without validating if the result is a valid MySQL object identifier before being used in queries within the cacheDir(), joinPath(), stat(), and fopen() functions. This can lead to unauthorized disclosure of data accessible to the MySQL account, such as file contents and database metadata, or cause a denial of service due to excessive memory consumption from broad query results. This issue only affects installations configured to use the MySQL volume driver; those using the default LocalFileSystem driver are not affected.Recommendations
Update to version 2.1.68.
As a temporary mitigation, restrict access to the
elFinderVolumeMySQL driver or avoid using the target parameter in the affected driver until the update is applied.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Elfinder
Studio-42 Elfinder