Horde Virtual File System (VFS) API before 3.0.1 contains...
High severity
Unreviewed
Published
Jul 8, 2026
to the GitHub Advisory Database
•
Updated Jul 8, 2026
Description
Published by the National Vulnerability Database
Jul 8, 2026
Published to the GitHub Advisory Database
Jul 8, 2026
Last updated
Jul 8, 2026
Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver where the _escapeShellCommand() method fails to sanitize command substitution sequences, allowing authenticated attackers to inject arbitrary shell commands through user-controlled filenames. Attackers can supply malicious filenames containing unescaped command substitution payloads through operations such as file upload, folder creation, rename, or deletion, which are interpolated into a double-quoted shell context and executed via proc_open() through /bin/sh -c before smbclient runs, resulting in arbitrary command execution on the underlying system.
References