A vulnerability classified as very critical has been found in horde Vfs up to 3.0.0. Affected by this issue is the function _escapeShellCommand of the component SMB Driver. The manipulation of the argument filename leads to os command injection.

This vulnerability is traded as CVE-2026-60102. It is possible to initiate the attack remotely. There is no exploit available.