Command Injection Vulnerability in elFinder Web File Manager by Studio 42
CVE-2026-41247

8.9HIGH

Key Information:

Vendor: Studio-42
Status: Elfinder
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-41247?

elFinder, a popular open-source web-based file manager, prior to version 2.1.67, is susceptible to a command injection vulnerability through its resize command. The vulnerability arises from the handling of the 'bg' (background color) parameter, which is passed to shell command strings without proper escaping when using the ImageMagick CLI backend. Malicious actors could exploit this flaw by providing crafted input, potentially leading to arbitrary command execution under the privileges of the web server process. Users are urged to update to version 2.1.67 or higher to mitigate this risk.

Affected Version(s)

elFinder < 2.1.67

References

https://github.com/Studio-42/elFinder/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41247 Data

JSON