CVE-2026-41247
Description
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background color) parameter is accepted from user input and passed through image resize/rotate processing. In configurations that use the ImageMagick CLI backend, this value is incorporated into shell command strings without sufficient escaping. An attacker able to invoke the resize command with a crafted bg value may achieve arbitrary command execution as the web server process user. This vulnerability is fixed in 2.1.67.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
studio-42/elfinderPackagist | < 2.1.67 | 2.1.67 |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/Studio-42/elFinder/security/advisories/GHSA-8q4h-8crm-5cvcnvdMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-8q4h-8crm-5cvcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41247ghsaADVISORY
News mentions
0No linked articles in our index yet.