{"vulnerability": "CVE-2026-54088", "sightings": [{"uuid": "c43d7dde-36fa-47e7-918e-9c9d3a9a1a40", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-54088", "type": "seen", "source": "https://bsky.app/profile/stackflag.bsky.social/post/3mqcxokhktk2v", "content": "CVE-2026-54088 - filebrowser\nThe File Browser's login system has a weakness that allows an attacker to execute commands on the server without needing a login. This is a serious security issue because it\u2026\n\nToo many irrelevant or confusing CVEs? Use stackflag.com\n\n#filebrowser #Golang #CVE #infosec", "creation_timestamp": "2026-07-10T20:16:06.007040Z"}, {"uuid": "9774a81b-ef2a-4947-abcc-e5d8a023f7e5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-54088", "type": "published-proof-of-concept", "source": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-m93h-4hw7-5qcm", "content": "", "creation_timestamp": "2026-07-10T20:35:07.110793Z"}, {"uuid": "dd75cea4-00eb-49a4-961a-60a3c201e07a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-54088", "type": "seen", "source": "https://gist.github.com/alon710/df4eb1ffd54e58f3fa15744ed3724d35", "content": "# CVE-2026-54088: CVE-2026-54088: Pre-Authentication Remote Code Execution in File Browser Hook Authentication\n\n&gt; **CVSS Score:** 9.3\n&gt; **Published:** 2026-07-10\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-54088\n\n## Summary\nCVE-2026-54088 is a critical command injection vulnerability in File Browser prior to version 2.63.6. When Hook Authentication is enabled, the application interpolates unsanitized credentials into a shell command, allowing unauthenticated remote code execution.\n\n## TL;DR\nUnauthenticated remote command execution vulnerability in File Browser's Hook Authentication feature via unsanitized username/password inputs.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-78\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 9.3 (Critical)\n- **EPSS Score**: 0.00533 (Percentile: 41.19%)\n- **Impact**: Pre-Authentication Remote Code Execution\n- **Exploit Status**: Public Proof-of-Concept Available\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- File Browser (all deployments using Hook Authentication prior to 2.63.6)\n- **filebrowser**: &lt; 2.63.6 (Fixed in: `2.63.6`)\n\n## Mitigation\n\n- Upgrade File Browser to version 2.63.6 or later.\n- Disable Hook Authentication and fall back to local database authentication.\n- Deploy Web Application Firewall (WAF) rules to inspect login payloads.\n\n**Remediation Steps:**\n1. Identify running File Browser instances and check current versions.\n2. Pull and deploy the patched version (v2.63.6 or higher).\n3. If immediate patching is impossible, disable the Hook Auth feature via configuration.\n4. Verify the vulnerability is resolved by testing with safe canary injection attempts.\n\n## References\n\n- [NVD - CVE-2026-54088](https://nvd.nist.gov/vuln/detail/CVE-2026-54088)\n- [CVE - CVE-2026-54088](https://www.cve.org/CVERecord?id=CVE-2026-54088)\n- [File Browser v2.63.5 Vulnerable auth/hook.go Source Code](https://github.com/filebrowser/filebrowser/blob/v2.63.5/auth/hook.go)\n- [Saku0512 Public PoC Repository](https://github.com/Saku0512/CVE-2026-54088-poc)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-54088) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-11T02:41:50.212610Z"}, {"uuid": "eb0bfc1f-5ded-45b8-9dfd-2f365639e650", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-54088", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/88447", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026 #POC\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-54088-poc\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a Saku0512\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-06-12 06:08:28\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\n\u65e0\u63cf\u8ff0\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-07-12T07:00:04.966262Z"}]}