OS Command Injection in Horde Virtual File System VFS API
CVE-2026-60102
7.7HIGH
What is CVE-2026-60102?
The Horde Virtual File System (VFS) API prior to version 3.0.1 is susceptible to an OS command injection flaw in the Horde_Vfs_Smb driver. This vulnerability arises from the improper sanitization of command substitution sequences in the _escapeShellCommand() method. Authenticated attackers can exploit this vulnerability by injecting malicious shell commands through user-controlled filenames during file operations such as upload, rename, or deletion. These commands can be executed within a double-quoted shell context, resulting in unauthorized command execution on the server. It is crucial for users of affected versions to update to the latest release to mitigate this security risk.
Affected Version(s)
Vfs 0
