CVE-2026-44521
published 2026-05-27CVE-2026-44521: elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.68, an authenticated SQL injection vulnerability in the…
PriorityP355high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.24%
15.3th percentile
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.68, an authenticated SQL injection vulnerability in the elFinder MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized data disclosure and denial of service. This vulnerability only affects installations configured to use the MySQL volume driver. This vulnerability is fixed in 2.1.68.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| studio-42 | elfinder | < 2.1.68 | 2.1.68 |
| studio-42 | elfinder | >= 0 < 2.1.68 | 2.1.68 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Studio-42 elFinder up to 2.1.67 MySQL Volume Driver sql injection (EUVD-2026-32607)
vuldb·2026-05-27·CVSS 8.8
CVE-2026-44521 [HIGH] Studio-42 elFinder up to 2.1.67 MySQL Volume Driver sql injection (EUVD-2026-32607)
A vulnerability, which was classified as critical, was found in Studio-42 elFinder up to 2.1.67. Affected by this issue is some unknown functionality of the component MySQL Volume Driver. Executing a manipulation can lead to sql injection.
This vulnerability is handled as CVE-2026-44521. The attack can be executed remotely. There is not any exploit available.
You should upgrade the affected component.
GHSA
elFinder MySQL has a SQL Injection in its Volume Driver (elFinderVolumeMySQL)
ghsa·2026-05-11
CVE-2026-44521 [HIGH] CWE-89 elFinder MySQL has a SQL Injection in its Volume Driver (elFinderVolumeMySQL)
elFinder MySQL has a SQL Injection in its Volume Driver (elFinderVolumeMySQL)
## Summary
An authenticated SQL injection vulnerability in the elFinder MySQL volume driver (`elFinderVolumeMySQL`) allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted `target` file hash. Successful exploitation can lead to unauthorized data disclosure and denial of service.
This vulnerability only affects installations configured to use the `MySQL` volume driver. Installations using the default `LocalFileSystem` driver are not affected.
## Description
A vulnerability in elFinder's MySQL volume driver (`elFinderVolumeMySQL`) allows authenticated SQL injection through a crafted file hash passed via the `target` parameter.
The issue is cause
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-27
Published