Critical severityNVD Advisory· Published Mar 21, 2022· Updated Aug 3, 2024

CVE-2022-26960

Description

connector.minimal.php in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated path traversal in elFinder connector.minimal.php allows remote attackers to read, write, and browse files outside the document root.

Vulnerability

CVE-2022-26960 is a path traversal vulnerability in connector.minimal.php of std42 elFinder through version 2.1.60. The issue stems from improper handling of absolute file paths, allowing unauthenticated remote attackers to bypass the configured document root and access arbitrary files on the server [1][2]. The vulnerable code path is reachable without any authentication or special configuration.

Exploitation

An attacker can exploit this vulnerability by sending crafted HTTP requests to the elFinder connector endpoint with absolute file paths (e.g., /etc/passwd) or path traversal sequences (e.g., ../../../etc/passwd). No authentication or user interaction is required; the attacker only needs network access to the vulnerable elFinder instance [1]. The exploit does not require any special privileges or prior knowledge beyond the target's URL.

Impact

Successful exploitation allows an unauthenticated remote attacker to read, write, and browse files outside the intended document root. This can lead to disclosure of sensitive information (e.g., configuration files, credentials), modification of application files, or even remote code execution if writable paths include executable scripts [1][2]. The attacker gains the ability to traverse the entire filesystem with the privileges of the web server process.

Mitigation

The vulnerability is fixed in commit 3b75849 [3]. Users should upgrade to a version containing this patch (e.g., elFinder 2.1.61 or later). No official workaround has been provided; disabling the connector or restricting access via web server rules may reduce exposure until patching is possible [1]. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
studio-42/elfinderPackagist	< 2.1.61	2.1.61

Affected products

std42/elFinderdescription
ghsa-coords
pkg:composer/studio-42/elfinder
Range: < 2.1.61

Patches

3b758495538a

[security:CVE-2022-26960] fix a path traversal issue

https://github.com/Studio-42/elFindernao-ponMar 8, 2022via ghsa

commit

2 files changed · +15 −3

php/elFinderVolumeDriver.class.php+14 −3 modified

@@ -6794,14 +6794,22 @@ protected function getFullPath($path, $base)
             $base = rtrim($base, $separator);
         }
 
-        // 'Here'
-        if ($path === '' || $path === '.' . $separator) return $base;
-
         $sepquoted = preg_quote($separator, '#');
 
+        // normalize `//` to `/`
+        $path = preg_replace('#' . $sepquoted . '+#', $separator, $path); // '#/+#'
+
+        // remove `./`
+        $path = preg_replace('#(?<=^|' . $sepquoted . ')\.' . $sepquoted . '#', '', $path); // '#(?<=^|/)\./#'
+
+        // 'Here'
+        if ($path === '') return $base;
+
+        // join $base to $path if $path start `../`
         if (substr($path, 0, 3) === '..' . $separator) {
             $path = $base . $separator . $path;
         }
+
         // normalize `/../`
         $normreg = '#(' . $sepquoted . ')[^' . $sepquoted . ']+' . $sepquoted . '\.\.' . $sepquoted . '#'; // '#(/)[^\/]+/\.\./#'
         while (preg_match($normreg, $path)) {
@@ -6811,6 +6819,9 @@ protected function getFullPath($path, $base)
             $path = rtrim($path, $separator);
         }
 
+        // discard the surplus `../`
+        $path = str_replace('..' . $separator, '', $path);
+
         // Absolute path
         if ($path[0] === $separator || strpos($path, $systemroot) === 0) {
             return $path;

php/elFinderVolumeLocalFileSystem.class.php+1 −0 modified

@@ -485,6 +485,7 @@ protected function _abspath($path)
         if ($path === DIRECTORY_SEPARATOR) {
             return $this->root;
         } else {
+            $path = $this->_normpath($path);
             if (strpos($path, $this->systemRoot) === 0) {
                 return $path;
             } else if (DIRECTORY_SEPARATOR !== '/' && preg_match('/^[a-zA-Z]:' . preg_quote(DIRECTORY_SEPARATOR, '/') . '/', $path)) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-7q88-jxvp-9gp2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-26960ghsaADVISORY
github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6dbghsax_refsource_MISCWEB
www.synacktiv.com/publications.htmlmitrex_refsource_MISC
www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.067
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000