PT-2026-39896 · Studio 42+2 · Elfinder+1

Elulq

·

Published

2026-05-11

·

Updated

2026-05-27

·

CVE-2026-44521

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions elFinder versions prior to 2.1.68
Description An authenticated SQL injection exists in the MySQL volume driver (elFinderVolumeMySQL). This issue allows any logged-in user, including those with read-only access, to inject SQL commands via a crafted file hash passed through the target parameter. The flaw occurs because file hashes are decoded without validating if the result is a valid MySQL object identifier before being used in queries within the cacheDir(), joinPath(), stat(), and fopen() functions. This can lead to unauthorized disclosure of data accessible to the MySQL account, such as file contents and database metadata, or cause a denial of service due to excessive memory consumption from broad query results. This issue only affects installations configured to use the MySQL volume driver; those using the default LocalFileSystem driver are not affected.
Recommendations Update to version 2.1.68. As a temporary mitigation, restrict access to the elFinderVolumeMySQL driver or avoid using the target parameter in the affected driver until the update is applied.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44521
GHSA-C3GJ-Q88F-7HQJ

Affected Products

Elfinder
Studio-42 Elfinder