A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input in the External ODBC Data Source connection test feature. This issue is fixed in FileMaker Cloud 2.22.0.5.
PUBLISHED5.2
Problem type
- A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input in the External ODBC Data Source connection test feature.
Affected products
Claris
FileMaker Cloud
< 2.22.0.5 - AFFECTED
References
GitHub Security Advisories
GHSA-vxm5-52jm-vr7c
A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console...
https://github.com/advisories/GHSA-vxm5-52jm-vr7cA Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input in the External ODBC Data Source connection test feature. This issue is fixed in FileMaker Cloud 2.22.0.5.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-43685Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-43685",
"assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
"assignerShortName": "apple",
"dateUpdated": "2026-05-13T00:17:22.242Z",
"dateReserved": "2026-05-01T22:46:21.642Z",
"datePublished": "2026-05-12T22:24:57.534Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c",
"shortName": "apple",
"dateUpdated": "2026-05-12T22:24:57.534Z"
},
"descriptions": [
{
"lang": "en",
"value": "A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input in the External ODBC Data Source connection test feature. This issue is fixed in FileMaker Cloud 2.22.0.5."
}
],
"affected": [
{
"vendor": "Claris",
"product": "FileMaker Cloud",
"versions": [
{
"version": "0",
"status": "affected",
"versionType": "custom",
"lessThan": "2.22.0.5"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input in the External ODBC Data Source connection test feature."
}
]
}
],
"references": [
{
"url": "https://support.claris.com/s/answerview?anum=000049154&language=en_US"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-05-13T00:17:22.242Z"
},
"title": "CISA ADP Vulnrichment",
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
"cweId": "CWE-78",
"type": "CWE"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "HIGH",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH"
}
},
{}
]
}
]
}
}