Home

Description

Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver where the _escapeShellCommand() method fails to sanitize command substitution sequences, allowing authenticated attackers to inject arbitrary shell commands through user-controlled filenames. Attackers can supply malicious filenames containing unescaped command substitution payloads through operations such as file upload, folder creation, rename, or deletion, which are interpolated into a double-quoted shell context and executed via proc_open() through /bin/sh -c before smbclient runs, resulting in arbitrary command execution on the underlying system.

PUBLISHED Reserved 2026-07-08 | Published 2026-07-08 | Updated 2026-07-08 | Assigner VulnCheck




HIGH: 7.7CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
affected

Any version before 3.0.1
affected

Credits

Hacker Fantastic finder

References

github.com/horde/Vfs/releases/tag/v3.0.1 (Release Notes) release-notes

github.com/horde/Vfs/pull/10 (Fix PR) issue-tracking

github.com/...ommit/41f74b4acfc144e09013d04dd121e0a5da808361 (Fix Commit) patch

www.vulncheck.com/...mand-injection-via-horde-vfs-smb-driver third-party-advisory

cve.org (CVE-2026-60102)

nvd.nist.gov (CVE-2026-60102)

Download JSON