PatchSiren

horde CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH horde CVE published 2026-07-08

CVE-2026-60102

CVE-2026-60102 is an OS command injection vulnerability in the Horde_Vfs_Smb driver of Horde Virtual File System (VFS) API before version 3.0.1. The vulnerability occurs because the _escapeShellCommand() method fails to sanitize command substitution sequences. This allows authenticated attackers to inject arbitrary shell commands through user-controlled filenames. The commands are executed via proc_open() [truncated]