PT-2026-56520 · Horde · Horde Virtual File System Api
Hacker Fantastic
·
Published
2026-07-08
·
Updated
2026-07-08
·
CVE-2026-60102
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Horde Virtual File System (VFS) API versions prior to 3.0.1
Description
The Horde Vfs Smb driver contains an OS command injection flaw where the
escapeShellCommand() method does not properly sanitize command substitution sequences. Authenticated attackers can exploit this by providing malicious filenames during file upload, folder creation, rename, or deletion operations. These filenames are interpolated into a double-quoted shell context and executed via proc open() through /bin/sh -c before smbclient runs, allowing the execution of arbitrary shell commands on the underlying system.Recommendations
Update Horde Virtual File System (VFS) API to version 3.0.1 or later.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Horde Virtual File System Api