Critical severityOSV Advisory· Published Feb 26, 2019· Updated Aug 4, 2024

CVE-2019-9194

Description

elFinder before 2.1.48 has a command injection vulnerability in the PHP connector.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Command injection in elFinder PHP connector before 2.1.48 allows remote code execution via the exiftran command.

Vulnerability

elFinder versions before 2.1.48 contain a command injection vulnerability in the PHP connector. The application passes user-controlled input to the exiftran command without proper sanitization, allowing an attacker to inject arbitrary operating system commands. The vulnerability is triggered when the connector processes certain file operations that involve the exiftran binary [1].

Exploitation

An attacker with the ability to upload files or manipulate file paths within the elFinder web interface can exploit this vulnerability. The attacker crafts a filename or other input that includes shell metacharacters. When the PHP connector executes the exiftran command on the user-supplied data, the injected commands are executed on the server. The Metasploit module for this exploit (exploit-db 46539) demonstrates a remote attack scenario requiring only network access to the elFinder instance [1].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the server with the privileges of the web server process. This typically results in full remote code execution (RCE), enabling the attacker to read sensitive files, modify or delete data, install malware, or pivot to other internal systems. The severity is critical, CVSSv3 base score not disclosed in references but the Metasploit module rates it as 'ExcellentRanking' [1].

Mitigation

The vulnerability is fixed in elFinder version 2.1.48 and later. Users must update to at least this version to remediate the issue. The project's README strongly warns against running older (2.1.67 or earlier) versions on public servers, as they 'may cause serious damage' [3][4]. No workaround is available; upgrading is the only solution.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
studio-42/elfinderPackagist	< 2.1.48	2.1.48

Affected products

Studio 42/ElfinderOSV
Range: 2.1.0, 2.1.1, 2.1.10, …
ghsa-coords
pkg:composer/studio-42/elfinder
Range: < 2.1.48

Patches

374c88d7030e

[VD:abstract,Security] fix command injection vulnerability of PHP connector

https://github.com/Studio-42/elFindernao-ponFeb 26, 2019via ghsa

commit

1 file changed · +6 −6

php/elFinderVolumeDriver.class.php+6 −6 modified

@@ -3476,7 +3476,7 @@ public function ffmpegToImg($file, $stat, $self, $ss = null)
                     $ss = $this->options['tmbVideoConvSec'];
                 }
             }
-            $cmd = sprintf(ELFINDER_FFMPEG_PATH . ' -i %s -ss 00:00:%.3f -vframes 1 -f image2 %s', escapeshellarg($tmp), $ss, escapeshellarg($file));
+            $cmd = sprintf(ELFINDER_FFMPEG_PATH . ' -i %s -ss 00:00:%.3f -vframes 1 -f image2 -- %s', escapeshellarg($tmp), $ss, escapeshellarg($file));
             $r = ($this->procExec($cmd) === 0);
             clearstatcache();
             if ($r && $ss > 0 && !file_exists($file)) {
@@ -5463,7 +5463,7 @@ protected function createTmb($path, $stat)
                 }
             } else if ($this->imgLib === 'convert') {
                 $convParams = $this->imageMagickConvertPrepare($tmb, 'png', 100, array(), $stat['mime']);
-                $cmd = sprintf('%s -colorspace sRGB -trim %s %s', ELFINDER_CONVERT_PATH, $convParams['quotedPath'], $convParams['quotedDstPath']);
+                $cmd = sprintf('%s -colorspace sRGB -trim -- %s %s', ELFINDER_CONVERT_PATH, $convParams['quotedPath'], $convParams['quotedDstPath']);
                 $result = false;
                 if ($this->procExec($cmd) === 0) {
                     if (($s = getimagesize($tmb)) !== false) {
@@ -6004,10 +6004,10 @@ protected function imgRotate($path, $degree, $bgcolor = '#ffffff', $destformat =
             $quotedPath = escapeshellarg($path);
             $cmds = array();
             if ($this->procExec(ELFINDER_EXIFTRAN_PATH . ' -h') === 0) {
-                $cmds[] = ELFINDER_EXIFTRAN_PATH . ' -i ' . $exiftran[$count] . ' ' . $path;
+                $cmds[] = ELFINDER_EXIFTRAN_PATH . ' -i ' . $exiftran[$count] . ' -- ' . $quotedPath;
             }
             if ($this->procExec(ELFINDER_JPEGTRAN_PATH . ' -version') === 0) {
-                $cmds[] = ELFINDER_JPEGTRAN_PATH . ' -rotate ' . $jpegtran[$count] . ' -copy all -outfile ' . $quotedPath . ' ' . $quotedPath;
+                $cmds[] = ELFINDER_JPEGTRAN_PATH . ' -rotate ' . $jpegtran[$count] . ' -copy all -outfile ' . $quotedPath . ' -- ' . $quotedPath;
             }
             foreach ($cmds as $cmd) {
                 if ($this->procExec($cmd) === 0) {
@@ -6067,7 +6067,7 @@ protected function imgRotate($path, $degree, $bgcolor = '#ffffff', $destformat =
                 if ($s[2] === IMAGETYPE_GIF || $s[2] === IMAGETYPE_PNG) {
                     $bgcolor = 'rgba(255, 255, 255, 0.0)';
                 }
-                $cmd = sprintf('%s %s%s%s%s -background "%s" -rotate %d%s %s', ELFINDER_CONVERT_PATH, $quotedPath, $coalesce, $jpgQuality, $interlace, $bgcolor, $degree, $deconstruct, $quotedDstPath);
+                $cmd = sprintf('%s%s%s%s -background "%s" -rotate %d%s -- %s %s', ELFINDER_CONVERT_PATH, $coalesce, $jpgQuality, $interlace, $bgcolor, $degree, $deconstruct, $quotedPath, $quotedDstPath);
 
                 $result = false;
                 if ($this->procExec($cmd) === 0) {
@@ -6420,7 +6420,7 @@ protected function imageMagickConvertPrepare($path, $destformat, $jpgQuality, $i
         $srcType = $this->getExtentionByMime($mime, ':');
         $ani = false;
         if (preg_match('/^(?:gif|png|ico)/', $srcType)) {
-            $cmd = ELFINDER_IDENTIFY_PATH . ' ' . escapeshellarg($srcType . $path);
+            $cmd = ELFINDER_IDENTIFY_PATH . ' -- ' . escapeshellarg($srcType . $path);
             if ($this->procExec($cmd, $o) === 0) {
                 $ani = preg_split('/(?:\r\n|\n|\r)/', trim($o));
                 if (count($ani) < 2) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.exploit-db.com/exploits/46481/mitreexploitx_refsource_EXPLOIT-DB
www.exploit-db.com/exploits/46539/mitreexploitx_refsource_EXPLOIT-DB
github.com/advisories/GHSA-4223-qj94-7x9pghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-9194ghsaADVISORY
github.com/FriendsOfPHP/security-advisories/blob/master/studio-42/elfinder/CVE-2019-9194.yamlghsaWEB
github.com/Studio-42/elFinder/blob/master/README.mdghsax_refsource_CONFIRMWEB
github.com/Studio-42/elFinder/commit/374c88d7030eb92749267e17a4af21cc7520efa5ghsaWEB
github.com/Studio-42/elFinder/compare/6884c4f...0740028ghsax_refsource_CONFIRMWEB
github.com/Studio-42/elFinder/releases/tag/2.1.48ghsax_refsource_CONFIRMWEB
www.exploit-db.com/exploits/46481ghsaWEB
www.exploit-db.com/exploits/46539ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.074
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000