Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities by unisharp
CVE-2019-25673 (GCVE-0-2019-25673)
Vulnerability from nvd – Published: 2026-04-05 20:45 – Updated: 2026-06-23 16:13
VLAI
Title
UniSharp Laravel File Manager v2.0.0-alpha7 Arbitrary File Upload
Summary
UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint. Attackers can upload PHP files with the type parameter set to Files and execute arbitrary code by accessing the uploaded file through the working directory path.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46389 | exploit |
| https://github.com/UniSharp/laravel-filemanager | product |
| https://github.com/UniSharp/laravel-filemanager/i… | issue-tracking |
| https://www.vulncheck.com/advisories/unisharp-lar… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| UniSharp | Laravel File Manager |
Affected:
2.0.0
|
Date Public
2019-02-15 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25673",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T15:53:46.706479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T15:54:09.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Laravel File Manager",
"vendor": "UniSharp",
"versions": [
{
"status": "affected",
"version": "2.0.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mohammad Danish"
}
],
"datePublic": "2019-02-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint. Attackers can upload PHP files with the type parameter set to Files and execute arbitrary code by accessing the uploaded file through the working directory path."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T16:13:01.769Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46389",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46389"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://github.com/UniSharp/laravel-filemanager"
},
{
"name": "Source Code Repository",
"tags": [
"issue-tracking"
],
"url": "https://github.com/UniSharp/laravel-filemanager/issues/356"
},
{
"name": "VulnCheck Advisory: UniSharp Laravel File Manager v2.0.0-alpha7 Arbitrary File Upload",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/unisharp-laravel-file-manager-alpha7-arbitrary-file-upload"
}
],
"title": "UniSharp Laravel File Manager v2.0.0-alpha7 Arbitrary File Upload",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25673",
"datePublished": "2026-04-05T20:45:25.829Z",
"dateReserved": "2026-04-05T13:17:49.662Z",
"dateUpdated": "2026-06-23T16:13:01.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-40734 (GCVE-0-2022-40734)
Vulnerability from nvd – Published: 2022-09-14 00:00 – Updated: 2024-08-03 12:21
VLAI
KEVIntel
Summary
UniSharp laravel-filemanager (aka Laravel Filemanager) before 2.6.4 allows download?working_dir=%2F.. directory traversal to read arbitrary files, as exploited in the wild in June 2022. This is related to league/flysystem before 2.0.0.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:21:46.472Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/UniSharp/laravel-filemanager/issues/1150"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1320186966"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1825310417"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "UniSharp laravel-filemanager (aka Laravel Filemanager) before 2.6.4 allows download?working_dir=%2F.. directory traversal to read arbitrary files, as exploited in the wild in June 2022. This is related to league/flysystem before 2.0.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-24T13:16:18.637Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/UniSharp/laravel-filemanager/issues/1150"
},
{
"url": "https://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1320186966"
},
{
"url": "https://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1825310417"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-40734",
"datePublished": "2022-09-14T00:00:00.000Z",
"dateReserved": "2022-09-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T12:21:46.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23814 (GCVE-0-2021-23814)
Vulnerability from nvd – Published: 2021-12-17 20:00 – Updated: 2025-06-17 11:38
VLAI
Summary
This affects versions of the package unisharp/laravel-filemanager before 2.6.2. The upload() function does not sufficiently validate the file type when uploading.
An attacker may be able to reproduce the following steps:
1. Install a package with a web Laravel application.
2. Navigate to the Upload window
3. Upload an image file, then capture the request
4. Edit the request contents with a malicious file (webshell)
5. Enter the path of file uploaded on URL - Remote Code Execution
**Note:** Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in [here](https://unisharp.github.io/laravel-filemanager/configfolder-categories).
Severity
6.7 (Medium)
CWE
- CWE-94 - Arbitrary File Upload
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | unisharp/laravel-filemanager |
Affected:
0 , < 2.6.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:14:08.890Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-PHP-UNISHARPLARAVELFILEMANAGER-1567199"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/UniSharp/laravel-filemanager/blob/master/src/Controllers/UploadController.php%23L26"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/UniSharp/laravel-filemanager/issues/1113#issuecomment-1812092975"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "unisharp/laravel-filemanager",
"vendor": "n/a",
"versions": [
{
"lessThan": "2.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Huy Nguyen"
}
],
"descriptions": [
{
"lang": "en",
"value": "This affects versions of the package unisharp/laravel-filemanager before 2.6.2. The upload() function does not sufficiently validate the file type when uploading.\r\rAn attacker may be able to reproduce the following steps:\r\r1. Install a package with a web Laravel application.\r2. Navigate to the Upload window\r3. Upload an image file, then capture the request\r4. Edit the request contents with a malicious file (webshell)\r5. Enter the path of file uploaded on URL - Remote Code Execution\r\r\r**Note:** Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in [here](https://unisharp.github.io/laravel-filemanager/configfolder-categories)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Arbitrary File Upload",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T11:38:06.941Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-PHP-UNISHARPLARAVELFILEMANAGER-1567199"
},
{
"url": "https://github.com/UniSharp/laravel-filemanager/blob/master/src/Controllers/UploadController.php%23L26"
},
{
"url": "https://github.com/UniSharp/laravel-filemanager/releases/tag/v2.5.1"
},
{
"url": "https://github.com/UniSharp/laravel-filemanager/issues/1113"
},
{
"url": "https://github.com/UniSharp/laravel-filemanager/releases/tag/v2.6.2"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2021-23814",
"datePublished": "2021-12-17T20:00:14.149Z",
"dateReserved": "2021-01-08T00:00:00.000Z",
"dateUpdated": "2025-06-17T11:38:06.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-25673 (GCVE-0-2019-25673)
Vulnerability from cvelistv5 – Published: 2026-04-05 20:45 – Updated: 2026-06-23 16:13
VLAI
Title
UniSharp Laravel File Manager v2.0.0-alpha7 Arbitrary File Upload
Summary
UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint. Attackers can upload PHP files with the type parameter set to Files and execute arbitrary code by accessing the uploaded file through the working directory path.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46389 | exploit |
| https://github.com/UniSharp/laravel-filemanager | product |
| https://github.com/UniSharp/laravel-filemanager/i… | issue-tracking |
| https://www.vulncheck.com/advisories/unisharp-lar… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| UniSharp | Laravel File Manager |
Affected:
2.0.0
|
Date Public
2019-02-15 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25673",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T15:53:46.706479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T15:54:09.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Laravel File Manager",
"vendor": "UniSharp",
"versions": [
{
"status": "affected",
"version": "2.0.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mohammad Danish"
}
],
"datePublic": "2019-02-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint. Attackers can upload PHP files with the type parameter set to Files and execute arbitrary code by accessing the uploaded file through the working directory path."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T16:13:01.769Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46389",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46389"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://github.com/UniSharp/laravel-filemanager"
},
{
"name": "Source Code Repository",
"tags": [
"issue-tracking"
],
"url": "https://github.com/UniSharp/laravel-filemanager/issues/356"
},
{
"name": "VulnCheck Advisory: UniSharp Laravel File Manager v2.0.0-alpha7 Arbitrary File Upload",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/unisharp-laravel-file-manager-alpha7-arbitrary-file-upload"
}
],
"title": "UniSharp Laravel File Manager v2.0.0-alpha7 Arbitrary File Upload",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25673",
"datePublished": "2026-04-05T20:45:25.829Z",
"dateReserved": "2026-04-05T13:17:49.662Z",
"dateUpdated": "2026-06-23T16:13:01.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-40734 (GCVE-0-2022-40734)
Vulnerability from cvelistv5 – Published: 2022-09-14 00:00 – Updated: 2024-08-03 12:21
VLAI
KEVIntel
Summary
UniSharp laravel-filemanager (aka Laravel Filemanager) before 2.6.4 allows download?working_dir=%2F.. directory traversal to read arbitrary files, as exploited in the wild in June 2022. This is related to league/flysystem before 2.0.0.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:21:46.472Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/UniSharp/laravel-filemanager/issues/1150"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1320186966"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1825310417"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "UniSharp laravel-filemanager (aka Laravel Filemanager) before 2.6.4 allows download?working_dir=%2F.. directory traversal to read arbitrary files, as exploited in the wild in June 2022. This is related to league/flysystem before 2.0.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-24T13:16:18.637Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/UniSharp/laravel-filemanager/issues/1150"
},
{
"url": "https://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1320186966"
},
{
"url": "https://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1825310417"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-40734",
"datePublished": "2022-09-14T00:00:00.000Z",
"dateReserved": "2022-09-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T12:21:46.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23814 (GCVE-0-2021-23814)
Vulnerability from cvelistv5 – Published: 2021-12-17 20:00 – Updated: 2025-06-17 11:38
VLAI
Summary
This affects versions of the package unisharp/laravel-filemanager before 2.6.2. The upload() function does not sufficiently validate the file type when uploading.
An attacker may be able to reproduce the following steps:
1. Install a package with a web Laravel application.
2. Navigate to the Upload window
3. Upload an image file, then capture the request
4. Edit the request contents with a malicious file (webshell)
5. Enter the path of file uploaded on URL - Remote Code Execution
**Note:** Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in [here](https://unisharp.github.io/laravel-filemanager/configfolder-categories).
Severity
6.7 (Medium)
CWE
- CWE-94 - Arbitrary File Upload
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | unisharp/laravel-filemanager |
Affected:
0 , < 2.6.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:14:08.890Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-PHP-UNISHARPLARAVELFILEMANAGER-1567199"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/UniSharp/laravel-filemanager/blob/master/src/Controllers/UploadController.php%23L26"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/UniSharp/laravel-filemanager/issues/1113#issuecomment-1812092975"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "unisharp/laravel-filemanager",
"vendor": "n/a",
"versions": [
{
"lessThan": "2.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Huy Nguyen"
}
],
"descriptions": [
{
"lang": "en",
"value": "This affects versions of the package unisharp/laravel-filemanager before 2.6.2. The upload() function does not sufficiently validate the file type when uploading.\r\rAn attacker may be able to reproduce the following steps:\r\r1. Install a package with a web Laravel application.\r2. Navigate to the Upload window\r3. Upload an image file, then capture the request\r4. Edit the request contents with a malicious file (webshell)\r5. Enter the path of file uploaded on URL - Remote Code Execution\r\r\r**Note:** Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in [here](https://unisharp.github.io/laravel-filemanager/configfolder-categories)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Arbitrary File Upload",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T11:38:06.941Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-PHP-UNISHARPLARAVELFILEMANAGER-1567199"
},
{
"url": "https://github.com/UniSharp/laravel-filemanager/blob/master/src/Controllers/UploadController.php%23L26"
},
{
"url": "https://github.com/UniSharp/laravel-filemanager/releases/tag/v2.5.1"
},
{
"url": "https://github.com/UniSharp/laravel-filemanager/issues/1113"
},
{
"url": "https://github.com/UniSharp/laravel-filemanager/releases/tag/v2.6.2"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2021-23814",
"datePublished": "2021-12-17T20:00:14.149Z",
"dateReserved": "2021-01-08T00:00:00.000Z",
"dateUpdated": "2025-06-17T11:38:06.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}