Elfinder
by Studio 42
Source repositories
CVEs (12)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-0818 | Med | 0.35 | 6.5 | 0.01 | Aug 13, 2025 | Several WordPress plugins using elFinder versions 2.1.64 and prior are vulnerable to Directory Traversal in various versions. This makes it possible for unauthenticated attackers to delete arbitrary files. Successful exploitation of this vulnerability requires a site owner to… | ||
| CVE-2019-9194 | 0.04 | — | 0.97 | Feb 26, 2019 | elFinder before 2.1.48 has a command injection vulnerability in the PHP connector. | |||
| CVE-2021-32682 | 0.02 | — | 0.70 | Jun 14, 2021 | elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with… | |||
| CVE-2023-52045 | 0.00 | — | 0.00 | Oct 31, 2024 | Studio-42 eLfinder 2.1.62 contains a filename restriction bypass leading to a persistent Cross-site Scripting (XSS) vulnerability. | |||
| CVE-2023-52044 | 0.00 | — | 0.01 | Oct 31, 2024 | Studio-42 eLfinder 2.1.62 is vulnerable to Remote Code Execution (RCE) as there is no restriction for uploading files with the .php8 extension. | |||
| CVE-2024-38909 | 0.00 | — | 0.00 | Jul 30, 2024 | Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose secrets, perform RCE, etc. | |||
| CVE-2022-27115 | 0.00 | — | 0.29 | Apr 11, 2022 | In Studio-42 elFinder 2.1.60, there is a vulnerability that causes remote code execution through file name bypass for file upload. | |||
| CVE-2021-43421 | 0.00 | — | 0.43 | Apr 7, 2022 | A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code. | |||
| CVE-2021-45919 | 0.00 | — | 0.01 | Feb 8, 2022 | Studio 42 elFinder through 2.1.31 allows XSS via an SVG document. | |||
| CVE-2019-6257 | 0.00 | — | 0.01 | Jan 14, 2019 | A Server Side Request Forgery (SSRF) vulnerability in elFinder before 2.1.46 could allow a malicious user to access the content of internal network resources. This occurs in get_remote_contents() in php/elFinder.class.php. | |||
| CVE-2019-5884 | 0.00 | — | 0.01 | Jan 10, 2019 | php/elFinder.class.php in elFinder before 2.1.45 leaks information if PHP's curl extension is enabled and safe_mode or open_basedir is not set. | |||
| CVE-2013-1972 | 0.00 | — | 0.01 | Jun 24, 2013 | Cross-site request forgery (CSRF) vulnerability in the elFinder file manager module 6.x-0.x before 6.x-0.8 and 7.x-0.x before 7.x-0.8 for Drupal allows remote attackers to hijack the authentication of unspecified victims to create, modify, or delete files via unknown vectors. |
- risk 0.35cvss 6.5epss 0.01
Several WordPress plugins using elFinder versions 2.1.64 and prior are vulnerable to Directory Traversal in various versions. This makes it possible for unauthenticated attackers to delete arbitrary files. Successful exploitation of this vulnerability requires a site owner to…
- CVE-2019-9194Feb 26, 2019risk 0.04cvss —epss 0.97
elFinder before 2.1.48 has a command injection vulnerability in the PHP connector.
- CVE-2021-32682Jun 14, 2021risk 0.02cvss —epss 0.70
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with…
- CVE-2023-52045Oct 31, 2024risk 0.00cvss —epss 0.00
Studio-42 eLfinder 2.1.62 contains a filename restriction bypass leading to a persistent Cross-site Scripting (XSS) vulnerability.
- CVE-2023-52044Oct 31, 2024risk 0.00cvss —epss 0.01
Studio-42 eLfinder 2.1.62 is vulnerable to Remote Code Execution (RCE) as there is no restriction for uploading files with the .php8 extension.
- CVE-2024-38909Jul 30, 2024risk 0.00cvss —epss 0.00
Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose secrets, perform RCE, etc.
- CVE-2022-27115Apr 11, 2022risk 0.00cvss —epss 0.29
In Studio-42 elFinder 2.1.60, there is a vulnerability that causes remote code execution through file name bypass for file upload.
- CVE-2021-43421Apr 7, 2022risk 0.00cvss —epss 0.43
A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.
- CVE-2021-45919Feb 8, 2022risk 0.00cvss —epss 0.01
Studio 42 elFinder through 2.1.31 allows XSS via an SVG document.
- CVE-2019-6257Jan 14, 2019risk 0.00cvss —epss 0.01
A Server Side Request Forgery (SSRF) vulnerability in elFinder before 2.1.46 could allow a malicious user to access the content of internal network resources. This occurs in get_remote_contents() in php/elFinder.class.php.
- CVE-2019-5884Jan 10, 2019risk 0.00cvss —epss 0.01
php/elFinder.class.php in elFinder before 2.1.45 leaks information if PHP's curl extension is enabled and safe_mode or open_basedir is not set.
- CVE-2013-1972Jun 24, 2013risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the elFinder file manager module 6.x-0.x before 6.x-0.8 and 7.x-0.x before 7.x-0.8 for Drupal allows remote attackers to hijack the authentication of unspecified victims to create, modify, or delete files via unknown vectors.