studio-42/elfinder
Packagist14 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting studio-42/elfinderpage 1 of 1
- CVE-2018-9109CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.1.362018-03-28
vulnerable: 2.0.3 ... 2.1.9 (43 versions)
Studio 42 elFinder before 2.1.36 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server process and delete files owned by the …
- CVE-2018-9110CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.1.372018-03-28
vulnerable: 2.1.12 ... 2.1.36 (25 versions)
Studio 42 elFinder before 2.1.37 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server process and delete files owned by the …
- CVE-2019-5884MEDIUMCVSS 5.9EG 5.9✓ Fixed in 2.1.452019-01-10
vulnerable: 2.0.3 ... 2.1.9 (52 versions)
php/elFinder.class.php in elFinder before 2.1.45 leaks information if PHP's curl extension is enabled and safe_mode or open_basedir is not set.
- CVE-2019-6257HIGHCVSS 7.7EG 7.7✓ Fixed in 2.1.492019-01-14
vulnerable: 2.0.3 ... 2.1.9 (56 versions)
A Server Side Request Forgery (SSRF) vulnerability in elFinder before 2.1.46 could allow a malicious user to access the content of internal network resources. This occurs in get_remote_contents() in php/elFinder.class.php.
- CVE-2019-9194CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.1.482019-02-26
vulnerable: 2.0.3 ... 2.1.9 (55 versions)
elFinder before 2.1.48 has a command injection vulnerability in the PHP connector.
- CVE-2021-23394HIGHCVSS 8.1EG 8.1✓ Fixed in 2.1.582021-06-13
vulnerable: 2.0.3 ... 2.1.9 (65 versions)
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
- CVE-2021-32682CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.1.592021-06-14
vulnerable: 2.0.3 ... 2.1.9 (66 versions)
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hostin…
- CVE-2021-43421CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.1.602022-04-07
vulnerable: 2.0.4 ... 2.1.9 (66 versions)
A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.
- CVE-2021-45919MEDIUMCVSS 5.4EG 5.42022-02-08
vulnerable: 2.0.3 ... 2.1.9 (39 versions)
Studio 42 elFinder through 2.1.31 allows XSS via an SVG document.
- CVE-2022-26960CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.1.612022-03-21
vulnerable: 2.0.3 ... 2.1.9 (68 versions)
connector.minimal.php in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of a…
- CVE-2022-27115CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.1.612022-04-11
vulnerable: 2.0.3 ... 2.1.9 (68 versions)
In Studio-42 elFinder 2.1.60, there is a vulnerability that causes remote code execution through file name bypass for file upload.
- CVE-2023-35840MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.1.622023-06-19
vulnerable: 2.0.3 ... 2.1.9 (69 versions)
_joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder before 2.1.62 allows path traversal in the PHP LocalVolumeDriver connector.
- CVE-2024-38909CRITICALCVSS 9.8EG 9.82024-07-30
vulnerable: 2.0.3 ... 2.1.9 (72 versions)
Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose secrets, perform RCE, etc.
- CVE-2026-41247CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.1.672026-04-23
vulnerable: 2.0.3 ... 2.1.9 (74 versions)
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background color) parameter is accepted from user i…
Check whether studio-42/elfinder is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for studio-42/elfinder CVEs against the assets you own.
Start Free Scan →