Vulnerability-Lookup

GHSA-3PVV-GJHM-83QJ

Vulnerability from github – Published: 2026-06-15 12:32 – Updated: 2026-06-15 12:32

Details

Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution.

This project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release 9.14.0

Severity

9.3 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-5482"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-15T12:16:25Z",
    "severity": "CRITICAL"
  },
  "details": "Responsive FileManager\u0027s allows an unauthenticated\u00a0attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution.\u00a0\n\nThis project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release\u00a09.14.0",
  "id": "GHSA-3pvv-gjhm-83qj",
  "modified": "2026-06-15T12:32:45Z",
  "published": "2026-06-15T12:32:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5482"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2026/06/CVE-2026-5482"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trippo/ResponsiveFilemanager"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

CVE-2026-5482 (GCVE-0-2026-5482)

Vulnerability from cvelistv5 – Published: 2026-06-15 11:44 – Updated: 2026-06-15 12:32 Unsupported When Assigned X_Open Source

Title

Remote Code Execution via Unrestricted File Upload in Responsive FileManager

Summary

Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution. This project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release 9.14.0

Severity

9.3 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-434 - Unrestricted Upload of File with Dangerous Type

Assigner

CERT-PL

References

2 references

URL	Tags
https://cert.pl/en/posts/2026/06/CVE-2026-5482	third-party-advisory
https://github.com/trippo/ResponsiveFilemanager	product

Impacted products

1 product

Vendor	Product	Version
Tecrail	Responsive FileManager	Affected: 0 , ≤ 9.14.0 (semver)

Date Public

2026-06-15 11:44

Credits

Kamil Szczurowski Robert Kruczek

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-5482",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T12:32:30.749356Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T12:32:39.368Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Responsive FileManager",
          "programFiles": [
            "filemanager/dialog.php"
          ],
          "repo": "https://github.com/trippo/ResponsiveFilemanager",
          "vendor": "Tecrail",
          "versions": [
            {
              "lessThanOrEqual": "9.14.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kamil Szczurowski"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Robert Kruczek"
        }
      ],
      "datePublic": "2026-06-15T11:44:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Responsive FileManager\u0027s allows an \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eunauthenticated\u0026nbsp;\u003c/span\u003eattacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution.\u0026nbsp;\u003cbr\u003e\u003cbr\u003eThis project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release\u0026nbsp;9.14.0\u0026nbsp;"
            }
          ],
          "value": "Responsive FileManager\u0027s allows an unauthenticated\u00a0attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution.\u00a0\n\nThis project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release\u00a09.14.0"
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T11:44:46.963Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/en/posts/2026/06/CVE-2026-5482"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/trippo/ResponsiveFilemanager"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "unsupported-when-assigned",
        "x_open-source"
      ],
      "title": "Remote Code Execution via Unrestricted File Upload in Responsive FileManager",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2026-5482",
    "datePublished": "2026-06-15T11:44:46.963Z",
    "dateReserved": "2026-04-03T09:53:14.018Z",
    "dateUpdated": "2026-06-15T12:32:39.368Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-3PVV-GJHM-83QJ

CVE-2026-5482 (GCVE-0-2026-5482)

Tags

Sightings

Nomenclature