Skip to main content

Laravel File Manager CVE-2025-56399

HIGH
Code Injection (CWE-94)
2025-10-28 cve@mitre.org
8.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable APIs and simple HTTP steps give AV:N/AC:L; a valid file-manager account is required so PR:L, and full RCE yields C:H/I:H/A:H with unchanged scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:09 vuln.today

DescriptionCVE.org

alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution (RCE) through a crafted file upload. A file with a '.png extension containing PHP code can be uploaded via the file manager interface. Although the upload appears to fail client-side validation, the file is still saved on the server. The attacker can then use the rename API to change the file extension to .php`, and upon accessing it via a public URL, the server executes the embedded code.

AnalysisAI

Remote code execution in alexusmai laravel-file-manager (versions 3.3.1 and earlier) lets an authenticated user with file-manager access run arbitrary PHP on the server by uploading a PHP payload disguised with a .png extension, then abusing the rename API to give it a .php extension so it executes when requested via a public URL. The flaw stems from client-side-only upload validation combined with an unrestricted rename operation and web-accessible storage. No CISA KEV listing; EPSS is a modest 0.55% (42nd percentile), but a dedicated GitHub repository referencing this CVE indicates public proof-of-concept material likely exists.

Technical ContextAI

alexusmai/laravel-file-manager is a Composer package that adds a Vue.js-based file browser and upload/rename/delete API to Laravel applications, typically exposing a storage disk over HTTP. The root cause is CWE-94 (Code Injection): upload restrictions are enforced only in the client-side JavaScript, so a server-side path still persists the file even after the browser reports a validation failure. Because the package also exposes a rename endpoint that does not restrict target extensions, and uploaded content is stored in a directory served directly by the web server, an operator can convert an image-named payload into an executable .php script that the PHP interpreter runs on access. The dangerous combination is trusted-client validation plus an extension-agnostic rename plus web-reachable storage.

Affected ProductsAI

alexusmai/laravel-file-manager version 3.3.1 and all prior releases are affected, deployed as a Laravel package within host applications. No CPE string was provided in the intelligence data, and the only reference is a third-party GitHub repository (https://github.com/Theethat-Thamwasin/CVE-2025-56399); no official vendor advisory URL was supplied. Applications embedding this package and exposing its upload/rename endpoints to non-administrative users are the exposed surface.

RemediationAI

No vendor-released patched version was identified in the provided data, so treat fix availability as unconfirmed: monitor the alexusmai/laravel-file-manager GitHub project and Packagist for a release above 3.3.1 and upgrade to it once published. As specific compensating controls in the interim: configure the web server (or the storage disk) so the upload directory cannot execute PHP - for Apache add 'php_admin_flag engine off' or remove the PHP handler for that path, or on nginx route the upload location without the PHP FastCGI pass; store uploads outside the public web root and serve them only through a controller that streams content with a forced non-executable content type; and restrict or disable the rename API, or enforce a server-side allowlist of permitted extensions on both upload and rename, since client-side validation is bypassable. Also limit file-manager access to trusted administrators only. Trade-offs: disabling PHP execution in the storage path is low-impact and highly effective; disabling rename removes legitimate functionality; serving through a controller adds overhead but closes direct-URL execution. Reference the tracking repository at https://github.com/Theethat-Thamwasin/CVE-2025-56399 for PoC details when validating fixes.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2025-56399 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy