{"url":"http://public2.vulnerablecode.io/api/packages/422179?format=json","purl":"pkg:composer/studio-42/elfinder@2.0.6","type":"composer","namespace":"studio-42","name":"elfinder","version":"2.0.6","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.1.68","latest_non_vulnerable_version":"2.1.68","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/209402?format=json","vulnerability_id":"VCID-24hb-kc6u-vub1","summary":"Directory Traversal in Studio 42 elFinder","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-9110","reference_id":"","reference_type":"","scores":[{"value":"0.00847","scoring_system":"epss","scoring_elements":"0.75285","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-9110"},{"reference_url":"https://github.com/Studio-42/elFinder/commit/e6351557b86cc10a7651253d2d2aff7f6b918f8e","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/commit/e6351557b86cc10a7651253d2d2aff7f6b918f8e"},{"reference_url":"https://github.com/Studio-42/elFinder/releases/tag/2.1.37","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/releases/tag/2.1.37"},{"reference_url":"https://github.com/Studio-42/elFinder/wiki/Advisory-about-vulnerability-of-CVE-2018-9109-and-CVE-2018-9110","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/wiki/Advisory-about-vulnerability-of-CVE-2018-9109-and-CVE-2018-9110"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-9110","reference_id":"CVE-2018-9110","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-9110"},{"reference_url":"https://github.com/advisories/GHSA-44p8-c3wv-f28r","reference_id":"GHSA-44p8-c3wv-f28r","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-44p8-c3wv-f28r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21061?format=json","purl":"pkg:composer/studio-42/elfinder@2.1.37","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2b6c-j4v1-nydv"},{"vulnerability":"VCID-5vpw-j3w8-gbce"},{"vulnerability":"VCID-7akg-fv5t-6bbf"},{"vulnerability":"VCID-ehaa-2jfx-c7ga"},{"vulnerability":"VCID-epy6-ca5e-a3fq"},{"vulnerability":"VCID-fxyn-sh8a-1uh9"},{"vulnerability":"VCID-mkke-nygt-t3ba"},{"vulnerability":"VCID-r4ng-v49y-cyed"},{"vulnerability":"VCID-ra5c-p87r-gqe9"},{"vulnerability":"VCID-sp5b-vaf7-ufcb"},{"vulnerability":"VCID-z9vz-4zex-gqfc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/studio-42/elfinder@2.1.37"}],"aliases":["CVE-2018-9110","GHSA-44p8-c3wv-f28r"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-24hb-kc6u-vub1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/209399?format=json","vulnerability_id":"VCID-2b6c-j4v1-nydv","summary":"elFinder Server Side Request Forgery (SSRF)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6257","reference_id":"","reference_type":"","scores":[{"value":"0.00207","scoring_system":"epss","scoring_elements":"0.43126","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6257"},{"reference_url":"https://github.com/Studio-42/elFinder/blob/2.1.49/Changelog","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/blob/2.1.49/Changelog"},{"reference_url":"https://github.com/Studio-42/elFinder/commit/2f522db8f037a66ce9040ee0b216aa4a0359286c","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/commit/2f522db8f037a66ce9040ee0b216aa4a0359286c"},{"reference_url":"https://github.com/Studio-42/elFinder/releases/tag/2.1.49","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/releases/tag/2.1.49"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6257","reference_id":"CVE-2019-6257","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6257"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/studio-42/elfinder/CVE-2019-6257.yaml","reference_id":"CVE-2019-6257.YAML","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/studio-42/elfinder/CVE-2019-6257.yaml"},{"reference_url":"https://github.com/advisories/GHSA-3qhm-qfj3-4rrx","reference_id":"GHSA-3qhm-qfj3-4rrx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3qhm-qfj3-4rrx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/390980?format=json","purl":"pkg:composer/studio-42/elfinder@2.1.46","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5vpw-j3w8-gbce"},{"vulnerability":"VCID-7akg-fv5t-6bbf"},{"vulnerability":"VCID-ehaa-2jfx-c7ga"},{"vulnerability":"VCID-epy6-ca5e-a3fq"},{"vulnerability":"VCID-fxyn-sh8a-1uh9"},{"vulnerability":"VCID-r4ng-v49y-cyed"},{"vulnerability":"VCID-ra5c-p87r-gqe9"},{"vulnerability":"VCID-sp5b-vaf7-ufcb"},{"vulnerability":"VCID-z9vz-4zex-gqfc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/studio-42/elfinder@2.1.46"},{"url":"http://public2.vulnerablecode.io/api/packages/21055?format=json","purl":"pkg:composer/studio-42/elfinder@2.1.49","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5vpw-j3w8-gbce"},{"vulnerability":"VCID-7akg-fv5t-6bbf"},{"vulnerability":"VCID-ehaa-2jfx-c7ga"},{"vulnerability":"VCID-epy6-ca5e-a3fq"},{"vulnerability":"VCID-fxyn-sh8a-1uh9"},{"vulnerability":"VCID-r4ng-v49y-cyed"},{"vulnerability":"VCID-ra5c-p87r-gqe9"},{"vulnerability":"VCID-sp5b-vaf7-ufcb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/studio-42/elfinder@2.1.49"}],"aliases":["CVE-2019-6257","GHSA-3qhm-qfj3-4rrx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2b6c-j4v1-nydv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208573?format=json","vulnerability_id":"VCID-5vpw-j3w8-gbce","summary":"Path Traversal in Studio-42 elFinder through 2.1.60","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-26960","reference_id":"","reference_type":"","scores":[{"value":"0.84151","scoring_system":"epss","scoring_elements":"0.99328","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-26960"},{"reference_url":"https://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db"},{"reference_url":"https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html"},{"reference_url":"https://www.synacktiv.com/publications.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.synacktiv.com/publications.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26960","reference_id":"CVE-2022-26960","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26960"},{"reference_url":"https://github.com/advisories/GHSA-7q88-jxvp-9gp2","reference_id":"GHSA-7q88-jxvp-9gp2","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7q88-jxvp-9gp2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19816?format=json","purl":"pkg:composer/studio-42/elfinder@2.1.61","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7akg-fv5t-6bbf"},{"vulnerability":"VCID-ehaa-2jfx-c7ga"},{"vulnerability":"VCID-epy6-ca5e-a3fq"},{"vulnerability":"VCID-sp5b-vaf7-ufcb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/studio-42/elfinder@2.1.61"}],"aliases":["CVE-2022-26960","GHSA-7q88-jxvp-9gp2"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5vpw-j3w8-gbce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/137969?format=json","vulnerability_id":"VCID-7akg-fv5t-6bbf","summary":"_joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder before 2.1.62 allows path traversal in the PHP LocalVolumeDriver connector.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-35840","reference_id":"","reference_type":"","scores":[{"value":"0.06261","scoring_system":"epss","scoring_elements":"0.91116","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-35840"},{"reference_url":"https://github.com/Studio-42/elFinder/commit/bb9aaa7b096a1b83f2f85657c43f12131ece2891","reference_id":"bb9aaa7b096a1b83f2f85657c43f12131ece2891","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T20:05:30Z/"}],"url":"https://github.com/Studio-42/elFinder/commit/bb9aaa7b096a1b83f2f85657c43f12131ece2891"},{"reference_url":"https://github.com/afine-com/CVE-2023-35840","reference_id":"CVE-2023-35840","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T20:05:30Z/"}],"url":"https://github.com/afine-com/CVE-2023-35840"},{"reference_url":"https://github.com/sectroyer/CVEs/tree/main/CVE-2023-35840","reference_id":"CVE-2023-35840","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T20:05:30Z/"}],"url":"https://github.com/sectroyer/CVEs/tree/main/CVE-2023-35840"},{"reference_url":"https://github.com/Studio-42/elFinder/security/advisories/GHSA-wm5g-p99q-66g4","reference_id":"GHSA-wm5g-p99q-66g4","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T20:05:30Z/"}],"url":"https://github.com/Studio-42/elFinder/security/advisories/GHSA-wm5g-p99q-66g4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381851?format=json","purl":"pkg:composer/studio-42/elfinder@2.1.62","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehaa-2jfx-c7ga"},{"vulnerability":"VCID-epy6-ca5e-a3fq"},{"vulnerability":"VCID-sp5b-vaf7-ufcb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/studio-42/elfinder@2.1.62"}],"aliases":["CVE-2023-35840","GHSA-wm5g-p99q-66g4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7akg-fv5t-6bbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/209400?format=json","vulnerability_id":"VCID-7ehb-cvef-7uc2","summary":"elFinder Path Traversal vulnerability","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-9109","reference_id":"","reference_type":"","scores":[{"value":"0.00847","scoring_system":"epss","scoring_elements":"0.75285","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-9109"},{"reference_url":"https://github.com/Studio-42/elFinder/commit/157f471d7e48f190f74e66eb5bc73360b5352fd3","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/commit/157f471d7e48f190f74e66eb5bc73360b5352fd3"},{"reference_url":"https://github.com/Studio-42/elFinder/releases/tag/2.1.36","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/releases/tag/2.1.36"},{"reference_url":"https://github.com/Studio-42/elFinder/wiki/Advisory-about-vulnerability-of-CVE-2018-9109-and-CVE-2018-9110","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/wiki/Advisory-about-vulnerability-of-CVE-2018-9109-and-CVE-2018-9110"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-9109","reference_id":"CVE-2018-9109","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-9109"},{"reference_url":"https://github.com/advisories/GHSA-45x3-mw7q-wf7f","reference_id":"GHSA-45x3-mw7q-wf7f","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-45x3-mw7q-wf7f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21056?format=json","purl":"pkg:composer/studio-42/elfinder@2.1.36","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-24hb-kc6u-vub1"},{"vulnerability":"VCID-2b6c-j4v1-nydv"},{"vulnerability":"VCID-5vpw-j3w8-gbce"},{"vulnerability":"VCID-7akg-fv5t-6bbf"},{"vulnerability":"VCID-ehaa-2jfx-c7ga"},{"vulnerability":"VCID-epy6-ca5e-a3fq"},{"vulnerability":"VCID-fxyn-sh8a-1uh9"},{"vulnerability":"VCID-mkke-nygt-t3ba"},{"vulnerability":"VCID-r4ng-v49y-cyed"},{"vulnerability":"VCID-ra5c-p87r-gqe9"},{"vulnerability":"VCID-sp5b-vaf7-ufcb"},{"vulnerability":"VCID-z9vz-4zex-gqfc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/studio-42/elfinder@2.1.36"}],"aliases":["CVE-2018-9109","GHSA-45x3-mw7q-wf7f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7ehb-cvef-7uc2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67954?format=json","vulnerability_id":"VCID-ehaa-2jfx-c7ga","summary":"elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.68, an authenticated SQL injection vulnerability in the elFinder MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized data disclosure and denial of service. This vulnerability only affects installations configured to use the MySQL volume driver. This vulnerability is fixed in 2.1.68.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44521","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09696","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44521"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44521","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44521"},{"reference_url":"https://github.com/advisories/GHSA-c3gj-q88f-7hqj","reference_id":"GHSA-c3gj-q88f-7hqj","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-c3gj-q88f-7hqj"},{"reference_url":"https://github.com/Studio-42/elFinder/security/advisories/GHSA-c3gj-q88f-7hqj","reference_id":"GHSA-c3gj-q88f-7hqj","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-27T18:04:36Z/"}],"url":"https://github.com/Studio-42/elFinder/security/advisories/GHSA-c3gj-q88f-7hqj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375484?format=json","purl":"pkg:composer/studio-42/elfinder@2.1.68","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/studio-42/elfinder@2.1.68"}],"aliases":["CVE-2026-44521","GHSA-c3gj-q88f-7hqj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ehaa-2jfx-c7ga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80782?format=json","vulnerability_id":"VCID-epy6-ca5e-a3fq","summary":"elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background color) parameter is accepted from user input and passed through image resize/rotate processing. In configurations that use the ImageMagick CLI backend, this value is incorporated into shell command strings without sufficient escaping. An attacker able to invoke the resize command with a crafted bg value may achieve arbitrary command execution as the web server process user. This vulnerability is fixed in 2.1.67.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41247","reference_id":"","reference_type":"","scores":[{"value":"0.00093","scoring_system":"epss","scoring_elements":"0.26012","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41247"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41247","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41247"},{"reference_url":"https://github.com/advisories/GHSA-8q4h-8crm-5cvc","reference_id":"GHSA-8q4h-8crm-5cvc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-8q4h-8crm-5cvc"},{"reference_url":"https://github.com/Studio-42/elFinder/security/advisories/GHSA-8q4h-8crm-5cvc","reference_id":"GHSA-8q4h-8crm-5cvc","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-25T01:25:15Z/"}],"url":"https://github.com/Studio-42/elFinder/security/advisories/GHSA-8q4h-8crm-5cvc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374154?format=json","purl":"pkg:composer/studio-42/elfinder@2.1.67","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehaa-2jfx-c7ga"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/studio-42/elfinder@2.1.67"}],"aliases":["CVE-2026-41247","GHSA-8q4h-8crm-5cvc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-epy6-ca5e-a3fq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/339996?format=json","vulnerability_id":"VCID-fxyn-sh8a-1uh9","summary":"","references":[{"reference_url":"http://packetstormsecurity.com/files/164173/elFinder-Archive-Command-Injection.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/164173/elFinder-Archive-Command-Injection.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32682","reference_id":"","reference_type":"","scores":[{"value":"0.92768","scoring_system":"epss","scoring_elements":"0.9977","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32682"},{"reference_url":"https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities"},{"reference_url":"https://github.com/Studio-42/elFinder/commit/a106c350b7dfe666a81d6b576816db9fe0899b17","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/commit/a106c350b7dfe666a81d6b576816db9fe0899b17"},{"reference_url":"https://github.com/Studio-42/elFinder/security/advisories/GHSA-qm58-cvvm-c5qr","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/security/advisories/GHSA-qm58-cvvm-c5qr"},{"reference_url":"https://github.com/Studio-42/elFinder/security/advisories/GHSA-wph3-44rj-92pr","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/security/advisories/GHSA-wph3-44rj-92pr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32682","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32682"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/383424?format=json","purl":"pkg:composer/studio-42/elfinder@2.1.59","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5vpw-j3w8-gbce"},{"vulnerability":"VCID-7akg-fv5t-6bbf"},{"vulnerability":"VCID-ehaa-2jfx-c7ga"},{"vulnerability":"VCID-epy6-ca5e-a3fq"},{"vulnerability":"VCID-r4ng-v49y-cyed"},{"vulnerability":"VCID-sp5b-vaf7-ufcb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/studio-42/elfinder@2.1.59"}],"aliases":["CVE-2021-32682","GHSA-wph3-44rj-92pr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fxyn-sh8a-1uh9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/209401?format=json","vulnerability_id":"VCID-mkke-nygt-t3ba","summary":"Sensitive Data Exposure in elFinder","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5884","reference_id":"","reference_type":"","scores":[{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.55124","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5884"},{"reference_url":"https://github.com/Studio-42/elFinder/commit/f133163f2d754584de65d718b2fde96191557316","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/commit/f133163f2d754584de65d718b2fde96191557316"},{"reference_url":"https://github.com/Studio-42/elFinder/releases/tag/2.1.45","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/releases/tag/2.1.45"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-5884","reference_id":"CVE-2019-5884","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-5884"},{"reference_url":"https://github.com/advisories/GHSA-jcgc-vxqg-85xx","reference_id":"GHSA-jcgc-vxqg-85xx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jcgc-vxqg-85xx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21057?format=json","purl":"pkg:composer/studio-42/elfinder@2.1.45","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2b6c-j4v1-nydv"},{"vulnerability":"VCID-5vpw-j3w8-gbce"},{"vulnerability":"VCID-7akg-fv5t-6bbf"},{"vulnerability":"VCID-ehaa-2jfx-c7ga"},{"vulnerability":"VCID-epy6-ca5e-a3fq"},{"vulnerability":"VCID-fxyn-sh8a-1uh9"},{"vulnerability":"VCID-r4ng-v49y-cyed"},{"vulnerability":"VCID-ra5c-p87r-gqe9"},{"vulnerability":"VCID-sp5b-vaf7-ufcb"},{"vulnerability":"VCID-z9vz-4zex-gqfc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/studio-42/elfinder@2.1.45"}],"aliases":["CVE-2019-5884","GHSA-jcgc-vxqg-85xx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mkke-nygt-t3ba"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208732?format=json","vulnerability_id":"VCID-r4ng-v49y-cyed","summary":"elFinder Unrestricted File Upload vulnerability","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43421","reference_id":"","reference_type":"","scores":[{"value":"0.79545","scoring_system":"epss","scoring_elements":"0.99108","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43421"},{"reference_url":"https://github.com/Studio-42/elFinder/commit/c08bcbfa722d758d01975799b7036951eb5d33cb","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/commit/c08bcbfa722d758d01975799b7036951eb5d33cb"},{"reference_url":"https://github.com/Studio-42/elFinder/issues/3429","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/issues/3429"},{"reference_url":"https://twitter.com/infosec_90/status/1455180286354919425","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://twitter.com/infosec_90/status/1455180286354919425"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43421","reference_id":"CVE-2021-43421","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43421"},{"reference_url":"https://github.com/advisories/GHSA-x4jx-hjwf-gc99","reference_id":"GHSA-x4jx-hjwf-gc99","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x4jx-hjwf-gc99"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19815?format=json","purl":"pkg:composer/studio-42/elfinder@2.1.60","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5vpw-j3w8-gbce"},{"vulnerability":"VCID-7akg-fv5t-6bbf"},{"vulnerability":"VCID-ehaa-2jfx-c7ga"},{"vulnerability":"VCID-epy6-ca5e-a3fq"},{"vulnerability":"VCID-sp5b-vaf7-ufcb"},{"vulnerability":"VCID-yhuc-579d-s3d2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/studio-42/elfinder@2.1.60"}],"aliases":["CVE-2021-43421","GHSA-x4jx-hjwf-gc99"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r4ng-v49y-cyed"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/335430?format=json","vulnerability_id":"VCID-ra5c-p87r-gqe9","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23394","reference_id":"","reference_type":"","scores":[{"value":"0.76848","scoring_system":"epss","scoring_elements":"0.98977","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23394"},{"reference_url":"https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities"},{"reference_url":"https://github.com/Studio-42/elFinder/commit/75ea92decc16a5daf7f618f85dc621d1b534b5e1","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/commit/75ea92decc16a5daf7f618f85dc621d1b534b5e1"},{"reference_url":"https://github.com/Studio-42/elFinder/issues/3295","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/issues/3295"},{"reference_url":"https://github.com/Studio-42/elFinder/security/advisories/GHSA-qm58-cvvm-c5qr","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/security/advisories/GHSA-qm58-cvvm-c5qr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23394","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23394"},{"reference_url":"https://snyk.io/vuln/SNYK-PHP-STUDIO42ELFINDER-1290554","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-PHP-STUDIO42ELFINDER-1290554"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/383260?format=json","purl":"pkg:composer/studio-42/elfinder@2.1.58","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5vpw-j3w8-gbce"},{"vulnerability":"VCID-7akg-fv5t-6bbf"},{"vulnerability":"VCID-ehaa-2jfx-c7ga"},{"vulnerability":"VCID-epy6-ca5e-a3fq"},{"vulnerability":"VCID-fxyn-sh8a-1uh9"},{"vulnerability":"VCID-r4ng-v49y-cyed"},{"vulnerability":"VCID-sp5b-vaf7-ufcb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/studio-42/elfinder@2.1.58"}],"aliases":["CVE-2021-23394","GHSA-qm58-cvvm-c5qr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ra5c-p87r-gqe9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37453?format=json","vulnerability_id":"VCID-sp5b-vaf7-ufcb","summary":"Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose secrets, perform RCE, etc.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-38909","reference_id":"","reference_type":"","scores":[{"value":"0.00255","scoring_system":"epss","scoring_elements":"0.49106","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-38909"},{"reference_url":"https://github.com/B0D0B0P0T/CVE/blob/main/CVE-2024-38909","reference_id":"CVE-2024-38909","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-07-30T19:10:09Z/"}],"url":"https://github.com/B0D0B0P0T/CVE/blob/main/CVE-2024-38909"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38909","reference_id":"CVE-2024-38909","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38909"},{"reference_url":"http://elfinder.com","reference_id":"elfinder.com","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-07-30T19:10:09Z/"}],"url":"http://elfinder.com"},{"reference_url":"https://github.com/advisories/GHSA-3h9f-mm2x-4j58","reference_id":"GHSA-3h9f-mm2x-4j58","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3h9f-mm2x-4j58"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/732816?format=json","purl":"pkg:composer/studio-42/elfinder@2.1.65","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehaa-2jfx-c7ga"},{"vulnerability":"VCID-epy6-ca5e-a3fq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/studio-42/elfinder@2.1.65"}],"aliases":["CVE-2024-38909","GHSA-3h9f-mm2x-4j58"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sp5b-vaf7-ufcb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207977?format=json","vulnerability_id":"VCID-wp9t-dunm-aufb","summary":"Studio 42 elFinder allows stored XSS","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-45919","reference_id":"","reference_type":"","scores":[{"value":"0.00334","scoring_system":"epss","scoring_elements":"0.56606","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-45919"},{"reference_url":"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/from-stored-xss-to-rce-using-beef-and-elfinder-cve-2021-45919","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/from-stored-xss-to-rce-using-beef-and-elfinder-cve-2021-45919"},{"reference_url":"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/from-stored-xss-to-rce-using-beef-and-elfinder-cve-2021-45919/","reference_id":"","reference_type":"","scores":[],"url":"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/from-stored-xss-to-rce-using-beef-and-elfinder-cve-2021-45919/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45919","reference_id":"CVE-2021-45919","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45919"},{"reference_url":"https://github.com/advisories/GHSA-c3j8-q5x6-2855","reference_id":"GHSA-c3j8-q5x6-2855","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c3j8-q5x6-2855"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/392159?format=json","purl":"pkg:composer/studio-42/elfinder@2.1.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-24hb-kc6u-vub1"},{"vulnerability":"VCID-2b6c-j4v1-nydv"},{"vulnerability":"VCID-5vpw-j3w8-gbce"},{"vulnerability":"VCID-7akg-fv5t-6bbf"},{"vulnerability":"VCID-7ehb-cvef-7uc2"},{"vulnerability":"VCID-ehaa-2jfx-c7ga"},{"vulnerability":"VCID-epy6-ca5e-a3fq"},{"vulnerability":"VCID-fxyn-sh8a-1uh9"},{"vulnerability":"VCID-mkke-nygt-t3ba"},{"vulnerability":"VCID-r4ng-v49y-cyed"},{"vulnerability":"VCID-ra5c-p87r-gqe9"},{"vulnerability":"VCID-sp5b-vaf7-ufcb"},{"vulnerability":"VCID-z9vz-4zex-gqfc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/studio-42/elfinder@2.1.32"}],"aliases":["CVE-2021-45919","GHSA-c3j8-q5x6-2855"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wp9t-dunm-aufb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/209884?format=json","vulnerability_id":"VCID-z9vz-4zex-gqfc","summary":"elFinder command injection vulnerability in the PHP connector","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-9194","reference_id":"","reference_type":"","scores":[{"value":"0.9285","scoring_system":"epss","scoring_elements":"0.99776","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-9194"},{"reference_url":"https://github.com/Studio-42/elFinder/blob/master/README.md","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/blob/master/README.md"},{"reference_url":"https://github.com/Studio-42/elFinder/commit/374c88d7030eb92749267e17a4af21cc7520efa5","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/commit/374c88d7030eb92749267e17a4af21cc7520efa5"},{"reference_url":"https://github.com/Studio-42/elFinder/compare/6884c4f...0740028","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/compare/6884c4f...0740028"},{"reference_url":"https://github.com/Studio-42/elFinder/releases/tag/2.1.48","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Studio-42/elFinder/releases/tag/2.1.48"},{"reference_url":"https://www.exploit-db.com/exploits/46481","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/46481"},{"reference_url":"https://www.exploit-db.com/exploits/46481/","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/46481/"},{"reference_url":"https://www.exploit-db.com/exploits/46539","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/46539"},{"reference_url":"https://www.exploit-db.com/exploits/46539/","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/46539/"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/remote/46539.rb","reference_id":"CVE-2019-9194","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/remote/46539.rb"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46481.py","reference_id":"CVE-2019-9194","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46481.py"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-9194","reference_id":"CVE-2019-9194","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-9194"},{"reference_url":"https://raw.githubusercontent.com/rapid7/metasploit-framework/a4c1181b9f81869b7b1df62affbc9554e828f81c/modules/exploits/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.rb","reference_id":"CVE-2019-9194","reference_type":"exploit","scores":[],"url":"https://raw.githubusercontent.com/rapid7/metasploit-framework/a4c1181b9f81869b7b1df62affbc9554e828f81c/modules/exploits/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.rb"},{"reference_url":"https://www.secsignal.org/news/cve-2019-9194-triggering-and-exploiting-a-1-day-vulnerability/","reference_id":"CVE-2019-9194","reference_type":"exploit","scores":[],"url":"https://www.secsignal.org/news/cve-2019-9194-triggering-and-exploiting-a-1-day-vulnerability/"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/studio-42/elfinder/CVE-2019-9194.yaml","reference_id":"CVE-2019-9194.YAML","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/studio-42/elfinder/CVE-2019-9194.yaml"},{"reference_url":"https://github.com/advisories/GHSA-4223-qj94-7x9p","reference_id":"GHSA-4223-qj94-7x9p","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4223-qj94-7x9p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21736?format=json","purl":"pkg:composer/studio-42/elfinder@2.1.48","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5vpw-j3w8-gbce"},{"vulnerability":"VCID-7akg-fv5t-6bbf"},{"vulnerability":"VCID-ehaa-2jfx-c7ga"},{"vulnerability":"VCID-epy6-ca5e-a3fq"},{"vulnerability":"VCID-fxyn-sh8a-1uh9"},{"vulnerability":"VCID-r4ng-v49y-cyed"},{"vulnerability":"VCID-ra5c-p87r-gqe9"},{"vulnerability":"VCID-sp5b-vaf7-ufcb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/studio-42/elfinder@2.1.48"}],"aliases":["CVE-2019-9194","GHSA-4223-qj94-7x9p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z9vz-4zex-gqfc"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/studio-42/elfinder@2.0.6"}