PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-60102 horde CVE debrief

CVE-2026-60102 is an OS command injection vulnerability in the Horde_Vfs_Smb driver of Horde Virtual File System (VFS) API before version 3.0.1. The vulnerability occurs because the _escapeShellCommand() method fails to sanitize command substitution sequences. This allows authenticated attackers to inject arbitrary shell commands through user-controlled filenames. The commands are executed via proc_open() through /bin/sh -c before smbclient runs, resulting in arbitrary command execution on the underlying system.

Vendor
horde
Product
Vfs
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Administrators and users of Horde Virtual File System (VFS) API versions before 3.0.1 should be aware of this vulnerability. As the vulnerability requires authentication, users with access to the VFS API are at risk.

Technical summary

The Horde Virtual File System (VFS) API before version 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver. The _escapeShellCommand() method fails to properly sanitize command substitution sequences in user-controlled filenames. Attackers can inject arbitrary shell commands through operations like file upload, folder creation, rename, or deletion. These commands are executed via proc_open() in a double-quoted shell context, leading to arbitrary command execution on the underlying system.

Defensive priority

High

Recommended defensive actions

  • Update Horde Virtual File System (VFS) API to version 3.0.1 or later
  • Restrict access to the VFS API to only necessary users
  • Monitor VFS API logs for suspicious activity
  • Implement additional security measures such as Web Application Firewalls (WAFs) to detect and prevent exploitation attempts
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-08T17:17:28.997Z and was last modified on 2026-07-10T18:46:32.250Z. The NVD entry is currently Deferred. Evidence is limited to public sources and may not reflect the full scope of affected systems or available mitigations. Defenders should verify the vulnerability's impact on their specific environments and review official advisories for detailed guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T17:17:28.997Z and has not been modified since then. The NVD entry is currently Deferred.