Skip to main content

PHP EUVD-2026-23437

| CVE-2026-6496 LOW
Path Traversal (CWE-22)
2026-04-17 VulDB GHSA-c9vj-5wx9-69pj
PHP Path Traversal
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
CVSS changed
Apr 17, 2026 - 15:22 NVD
5.4 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Apr 17, 2026 - 15:00 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 14:45 euvd
EUVD-2026-23437
Analysis Generated
Apr 17, 2026 - 14:45 vuln.today
CVE Published
Apr 17, 2026 - 14:30 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was found in prasathmani TinyFileManager up to 2.6. Affected is an unknown function of the file /filemanager.php of the component POST Parameter Handler. The manipulation of the argument file[] results in path traversal. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Path traversal in prasathmani TinyFileManager up to version 2.6 allows authenticated remote attackers to manipulate the file[] POST parameter in /filemanager.php to read, modify, or delete arbitrary files on the server outside the intended directory scope. CVSS 5.4 reflects the authenticated requirement and lack of confidentiality impact, though integrity and availability are compromised. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain valid TinyFileManager credentials
Delivery
Send crafted POST request to /filemanager.php
Exploit
Include path traversal sequence in file[] parameter
Install
Parser processes unsanitized path without validation
C2
Access arbitrary file outside intended directory
Execute
Read, modify, or delete sensitive files
Impact
Compromise confidentiality, integrity, or availability
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires valid authentication credentials for TinyFileManager; unauthenticated remote access is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS score of 5.4 reflects a Medium severity assessment driven by the requirement for authenticated access (PR:L), network attack vector (AV:N), and low attack complexity (AC:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker with valid credentials (such as a compromised user account or shared admin credentials) submits a POST request to /filemanager.php with a crafted file[] parameter containing path traversal sequences (e.g., file[]=../../../../../../etc/passwd). The vulnerable code processes this parameter without proper canonicalization, allowing the attacker to read sensitive configuration files, modify web content, or delete critical application files. …
Remediation No vendor-released patch has been confirmed at time of analysis due to vendor non-responsiveness. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

EUVD-2026-23437 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy