GHSA-8q4h-8crm-5cvc: elFinder: Command injection in resize background color parameter when using ImageMagick CLI

April 17, 2026

elFinder contains a command injection vulnerability in the resize command.

The bg (background color) parameter is accepted from user input and passed through image resize/rotate processing. In configurations that use the ImageMagick CLI backend, this value is incorporated into shell command strings without sufficient escaping. An attacker able to invoke the resize command with a crafted bg value may achieve arbitrary command execution as the web server process user.

This issue affects configurations where:

the resize command is enabled,
image processing uses the ImageMagick CLI backend, and
the vulnerable code paths are reachable.

References

Code Behaviors & Features

Detect and mitigate GHSA-8q4h-8crm-5cvc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →