A critical command injection vulnerability in File Browser allows unauthenticated attackers to execute arbitrary OS commands, leading to full server takeover.

The application utilizes an unsanitized os.Expand function when processing user-supplied credentials for Hook Authentication. An unauthenticated attacker can inject shell metacharacters into the login fields to trigger arbitrary command execution on the host OS.

The CVSS score of 9.3 reflects the severity of a pre-authentication RCE vulnerability. Successful exploitation allows an attacker to gain full control of the server, potentially leading to total system compromise, data theft, and the installation of persistent backdoors.

Immediate Action: Upgrade File Browser to version 2.63.6 or later to ensure proper sanitization of input used in authentication hooks.

Proactive Monitoring: Review system logs for unexpected shell commands or processes being spawned by the filebrowser service user.

Compensating Controls: Disable the "Hook Authentication" feature if it is not currently in use, or place the login interface behind a VPN or IP whitelist to limit exposure to untrusted networks.

Public Exploit Available: N/A

This vulnerability represents an extreme risk due to its pre-authentication nature and the resulting ability to execute system-level commands. Immediate patching to version 2.63.6 is mandatory to secure the environment against potential exploitation.