Description
phpFileManager 1.7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the action, fm_current_dir, and filename parameters. Attackers can send GET requests to index.php with crafted parameter values to access sensitive files like /etc/passwd from the server.
Published: 2026-03-24
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion allowing arbitrary file read
Action: Patch Now
AI Analysis

Impact

A local file inclusion vulnerability in phpFileManager 1.7.8 permits unauthenticated users to read any file on the server by manipulating the action, fm_current_dir, and filename parameters in index.php. This flaw allows attackers to download sensitive files such as /etc/passwd by issuing crafted GET requests, exposing confidential data and providing a foothold for further exploitation.

Affected Systems

The flaw affects the Sourceforge phpFileManager 1.7.8 release. No other versions or builds are listed as vulnerable in the available data.

Risk and Exploitability

With a CVSS score of 6.9, the severity is moderate but noteworthy. Exploitation requires only a web request with specific parameters, meaning any host running the vulnerable package is at risk without authentication. The EPSS score is unavailable, and the vulnerability is not in the CISA KEV catalog, but its relative ease of exploitation makes it a practical threat for attackers scanning web applications.

Generated by OpenCVE AI on March 24, 2026 at 12:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpFileManager to the latest version or apply an available patch.
  • If an upgrade is not possible, restrict external access to index.php using web‑server rules or a firewall.
  • Ensure input parameters are properly validated and sanitized to prevent LFI before the application processes them.
  • Verify that file system permissions do not allow the web process to read system files such as /etc/passwd.
  • Monitor web logs for repeated attempts to read disallowed files and apply intrusion detection if possible.

Generated by OpenCVE AI on March 24, 2026 at 12:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Sourceforge
Sourceforge phpfilemanager
Vendors & Products Sourceforge
Sourceforge phpfilemanager

Tue, 24 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description phpFileManager 1.7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the action, fm_current_dir, and filename parameters. Attackers can send GET requests to index.php with crafted parameter values to access sensitive files like /etc/passwd from the server.
Title phpFileManager 1.7.8 Local File Inclusion via index.php
First Time appeared Dulldusk
Dulldusk phpfilemanager
Weaknesses CWE-306
CPEs cpe:2.3:a:dulldusk:phpfilemanager:1.7.8:*:*:*:*:*:*:*
Vendors & Products Dulldusk
Dulldusk phpfilemanager
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Dulldusk Phpfilemanager
Sourceforge Phpfilemanager
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-26T12:38:55.082Z

Reserved: 2026-03-24T11:02:26.100Z

Link: CVE-2019-25632

cve-icon Vulnrichment

Updated: 2026-03-26T12:38:51.278Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T12:16:03.597

Modified: 2026-03-25T21:45:13.947

Link: CVE-2019-25632

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:39:38Z

Weaknesses