OS Command Injection in Horde Virtual File System VFS API
CVE-2026-60102

7.7HIGH

Key Information:

Vendor

Horde

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-60102?

The Horde Virtual File System (VFS) API prior to version 3.0.1 is susceptible to an OS command injection flaw in the Horde_Vfs_Smb driver. This vulnerability arises from the improper sanitization of command substitution sequences in the _escapeShellCommand() method. Authenticated attackers can exploit this vulnerability by injecting malicious shell commands through user-controlled filenames during file operations such as upload, rename, or deletion. These commands can be executed within a double-quoted shell context, resulting in unauthorized command execution on the server. It is crucial for users of affected versions to update to the latest release to mitigate this security risk.

Affected Version(s)

Vfs 0

References

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Hacker Fantastic
.