PT-2026-56520 · Horde · Horde Virtual File System Api

Hacker Fantastic

·

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-60102

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Horde Virtual File System (VFS) API versions prior to 3.0.1
Description The Horde Vfs Smb driver contains an OS command injection flaw where the escapeShellCommand() method does not properly sanitize command substitution sequences. Authenticated attackers can exploit this by providing malicious filenames during file upload, folder creation, rename, or deletion operations. These filenames are interpolated into a double-quoted shell context and executed via proc open() through /bin/sh -c before smbclient runs, allowing the execution of arbitrary shell commands on the underlying system.
Recommendations Update Horde Virtual File System (VFS) API to version 3.0.1 or later.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-60102

Affected Products

Horde Virtual File System Api