EXECUTIVE SUMMARY:
CVE-2026-44521 with a CVSS score of 8.8 is a Critical SQL Injection vulnerability in the elFinder MySQL volume driver (elFinderVolumeMySQL), allowing any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. This vulnerability affects installations configured to use the MySQL volume driver and is caused by two behaviors working together: file hashes being decoded without validating that the decoded value is a valid MySQL object identifier, and the decoded value being used in MySQL driver queries. An authenticated user can exploit this issue to disclose data accessible to the configured MySQL account, including file contents stored by the driver and database metadata, or trigger denial of service through expensive or unexpectedly broad query results. Successful exploitation can lead to unauthorized data disclosure and denial of service, with the severity of data exposure dependent on the privileges granted to the configured MySQL account. The attacker gains the capability to access and modify sensitive data, potentially leading to significant business impact and consequences, including loss of sensitive data, unauthorized data disclosure, and denial of service. This vulnerability only affects installations using the MySQL volume driver, while installations using the default LocalFileSystem driver are not affected.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44521 with a CVSS score of 8.8 is a Critical SQL Injection vulnerability in the elFinder MySQL volume driver (elFinderVolumeMySQL), allowing any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. This vulnerability affects installations configured to use the MySQL volume driver and is caused by two behaviors working together: file hashes being decoded without validating that the decoded value is a valid MySQL object identifier, and the decoded value being used in MySQL driver queries. An authenticated user can exploit this issue to disclose data accessible to the configured MySQL account, including file contents stored by the driver and database metadata, or trigger denial of service through expensive or unexpectedly broad query results. Successful exploitation can lead to unauthorized data disclosure and denial of service, with the severity of data exposure dependent on the privileges granted to the configured MySQL account. The attacker gains the capability to access and modify sensitive data, potentially leading to significant business impact and consequences, including loss of sensitive data, unauthorized data disclosure, and denial of service. This vulnerability only affects installations using the MySQL volume driver, while installations using the default LocalFileSystem driver are not affected.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-c3gj-q88f-7hqj