Is CVE-2026-41247 in the CISA KEV catalog?

No. CVE-2026-41247 is not currently on the CISA Known Exploited Vulnerabilities list.

What is the CVSS severity of CVE-2026-41247?

CVE-2026-41247 has a CVSS v3 base score of 9.8 (CRITICAL).

What is the EPSS score for CVE-2026-41247?

CVE-2026-41247 has an EPSS score of 1.57% (72th percentile), estimating the probability of exploitation in the next 30 days.

CVE & CISA-KEV Catalog

CVE-2026-41247

CRITICALEPSS 72th pctl

9.8

CVSS v3

NVD

Description

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background color) parameter is accepted from user input and passed through image resize/rotate processing. In configurations that use the ImageMagick CLI backend, this value is incorporated into shell command strings without sufficient escaping. An attacker able to invoke the resize command with a crafted bg value may achieve arbitrary command execution as the web server process user. This vulnerability is fixed in 2.1.67.

CWE-78OS Command Injection

CVSS v3 Vector

Exploitability

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

Impact

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploit Intelligence

1.57%probability of exploitation in 30 days

72ndpercentile

Elevated risk: more likely to be exploited than 72% of all known CVEs.

References

https://github.com/Studio-42/elFinder/security/advisories/GHSA-8q4h-8crm-5cvc

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-04-28.