Skip to main content

Responsive FileManager EUVD-2026-36716

| CVE-2026-5482 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-15 CERT-PL GHSA-3pvv-gjhm-83qj
File Upload PHP RCE Responsive Filemanager
9.3
CVSS 4.0 · Vendor: CERT-PL
Share

Severity by source

Vendor (CERT-PL) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Unauthenticated network upload to dialog.php yields RCE with no user interaction, giving full C/I/A impact on the web server; scope unchanged within the PHP host.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 12:20 vuln.today

DescriptionCVE.org

Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution.

This project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release 9.14.0

Articles & Coverage 1

News Critical Unrestricted File Upload RCE in Responsive FileManager 9.14.0 - CVE-2026-5482 Jun 15, 2026

AnalysisAI

Unrestricted file upload in Responsive FileManager 9.14.0 (and likely earlier) allows remote unauthenticated attackers to upload arbitrary files - including PHP scripts - via the dialog.php endpoint, leading directly to remote code execution on the hosting web server. The project is unmaintained at the time of CVE assignment, so no vendor patch is forthcoming, and while no public exploit is identified at time of analysis the trivial nature of unrestricted file upload makes weaponization straightforward.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed dialog.php endpoint
Delivery
Craft multipart POST with PHP webshell
Exploit
Upload bypasses extension check
Execution
Request uploaded shell URL
Persist
Execute code as web server user
Impact
Pivot to data theft or lateral movement
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The application must expose the dialog.php upload endpoint of Responsive FileManager (the default integration path used by TinyMCE/CKEditor plugins) to the attacker's network, and the configured upload directory must be served by the PHP interpreter so that an uploaded .php file can be executed via HTTP request. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All signals point to high real-world risk: the CVSS 4.0 base vector AV:N/AC:L/AT:N/PR:N/UI:N with VC:H/VI:H/VA:H (score 9.3) shows a network-reachable, unauthenticated, no-interaction RCE against confidentiality, integrity and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker discovers a site exposing /filemanager/dialog.php (commonly indexed by Google dorks or fingerprinted via TinyMCE/CKEditor integrations) and issues a single multipart POST containing a PHP webshell named e.g. shell.php. …
Remediation No vendor-released patch identified at time of analysis - the project is unmaintained - so the durable fix is to remove Responsive FileManager and migrate to a maintained alternative such as elFinder or a framework-native upload component. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all instances of Responsive FileManager 9.14.0 and earlier, document exposure (internet-facing or internal), and search logs for suspicious upload activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

EUVD-2026-36716 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy