Description
UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint. Attackers can upload PHP files with the type parameter set to Files and execute arbitrary code by accessing the uploaded file through the working directory path.
Published: 2026-04-05
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate patch
AI Analysis

Impact

The vulnerability allows an authenticated attacker to upload arbitrary files, specifically PHP scripts, to the file manager via multipart form data. Executing one of these uploaded scripts gives the attacker the ability to run arbitrary PHP code on the server, compromising confidentiality, integrity, and availability of the system. The weakness is an arbitrary file upload flaw, identified as CWE-434.

Affected Systems

The affected product is UniSharp Laravel File Manager, versions 2.0.0-alpha7 and 2.0.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, but EPSS data is missing, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be through the web application interface of the upload endpoint, requiring authentication to the file manager. Once authenticated, an attacker can craft a multipart request to upload a PHP file and then trigger it via the working directory path.

Generated by OpenCVE AI on April 5, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check UniSharp's GitHub releases for a version that fixes the arbitrary file upload issue
  • If no fix is available, temporarily disable the upload endpoint or restrict uploads to image file types only
  • Implement server‑side validation to reject files with PHP extensions and enforce MIME type checks

Generated by OpenCVE AI on April 5, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Unisharp
Unisharp laravel-filemanager
Vendors & Products Unisharp
Unisharp laravel-filemanager

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint. Attackers can upload PHP files with the type parameter set to Files and execute arbitrary code by accessing the uploaded file through the working directory path.
Title UniSharp Laravel File Manager v2.0.0-alpha7 Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Unisharp Laravel-filemanager
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T15:54:09.561Z

Reserved: 2026-04-05T13:17:49.662Z

Link: CVE-2019-25673

cve-icon Vulnrichment

Updated: 2026-04-06T15:54:03.464Z

cve-icon NVD

Status : Deferred

Published: 2026-04-05T21:16:45.113

Modified: 2026-04-16T16:15:56.380

Link: CVE-2019-25673

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:48:35Z

Weaknesses