Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-c3gj-q88f-7hqj | elFinder MySQL has a SQL Injection in its Volume Driver (elFinderVolumeMySQL) |
Sat, 30 May 2026 21:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Studio42
Studio42 elfinder |
|
| Vendors & Products |
Studio42
Studio42 elfinder |
Wed, 27 May 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 27 May 2026 17:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.68, an authenticated SQL injection vulnerability in the elFinder MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized data disclosure and denial of service. This vulnerability only affects installations configured to use the MySQL volume driver. This vulnerability is fixed in 2.1.68. | |
| Title | elFinder: SQL Injection MySQL Volume Driver (elFinderVolumeMySQL) | |
| Weaknesses | CWE-89 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-05-27T18:05:43.342Z
Reserved: 2026-05-06T19:38:10.566Z
Link: CVE-2026-44521
Updated: 2026-05-27T18:05:39.516Z
Status : Deferred
Published: 2026-05-27T18:16:23.953
Modified: 2026-06-17T10:50:45.287
Link: CVE-2026-44521
No data.
OpenCVE Enrichment
Updated: 2026-05-30T21:00:12Z
Github GHSA