CVE-2026-41247: elFinder: Command injection in resize background color parameter when using ImageMagick CLI

April 17, 2026 (updated May 6, 2026)

elFinder contains a command injection vulnerability in the resize command.

The bg (background color) parameter is accepted from user input and passed through image resize/rotate processing. In configurations that use the ImageMagick CLI backend, this value is incorporated into shell command strings without sufficient escaping. An attacker able to invoke the resize command with a crafted bg value may achieve arbitrary command execution as the web server process user.

This issue affects configurations where:

the resize command is enabled,
image processing uses the ImageMagick CLI backend, and
the vulnerable code paths are reachable.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-41247 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →