A vulnerability classified as very critical has been found in horde Vfs up to 3.0.0. Affected by this issue is the function
_escapeShellCommand of the component SMB Driver. The manipulation of the argument filename leads to os command injection.
This vulnerability is traded as CVE-2026-60102. It is possible to initiate the attack remotely. There is no exploit available.