Security vulnerabilities were discovered in the elFinder web file manager, a popular component used in Content Management Systems (CMS) and frameworks. The vulnerabilities allow attackers to delete arbitrary files, move arbitrary files, upload PHP files, exploit argument injection, and trigger a race condition, potentially leading to arbitrary code execution on the server. The vulnerabilities were identified through a responsible disclosure process with the elFinder maintainers and have been fixed in version 2.1.59. It is recommended that users upgrade to this version immediately and enforce strong access control on the connector.