SQL Injection Affecting studio-42/elfinder package, versions <2.1.68
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-STUDIO42ELFINDER-16642083
- published12 May 2026
- disclosed11 May 2026
- creditelulq
Introduced: 11 May 2026
NewCVE-2026-44521 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade studio-42/elfinder to version 2.1.68 or higher.
Overview
studio-42/elfinder is an open-source file manager for web, written in JavaScript using jQuery UI.
Affected versions of this package are vulnerable to SQL Injection in the elFinderVolumeMySQL process when handling the target parameter. An attacker can access unauthorized data or cause denial of service by injecting crafted input that manipulates SQL queries. This is only exploitable if the installation is configured to use the MySQL volume driver.