Description
An issue in Alexantr filemanager v.1.0 allows a remote attacker to execute arbitrary code via the filemanager.php component
Published: 2026-06-29
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the Alexantr Filemanager component, allowing a remote attacker to execute arbitrary code via the filemanager.php file in version 1.0, which could compromise the confidentiality, integrity, and availability of the system. The flaw is a result of insufficient validation of user input, leading to code injection.

Affected Systems

Alexantr Filemanager version 1.0 is affected. No other vendors, products, or versions are listed in the current data.

Risk and Exploitability

The risk is high due to the remote execution capability. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through HTTP requests targeting the vulnerable filemanager.php component, and exploitation requires no special access beyond reachability of the web application.

Generated by OpenCVE AI on June 29, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify that an updated version of Alexantr Filemanager v1.0 is available and apply the vendor's patch if released.
  • Restrict access to the filemanager.php component by configuring web server rules or application-level authentication so that only authorized users can reach it.
  • If a patch is not yet available, consider disabling or removing the filemanager.php component from the production environment until a fix is released.
  • Ensure that all user-supplied data used by filemanager.php is properly validated and sanitized to prevent code injection.

Generated by OpenCVE AI on June 29, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via filemanager.php in Alexantr Filemanager v1.0

Mon, 29 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description An issue in Alexantr filemanager v.1.0 allows a remote attacker to execute arbitrary code via the filemanager.php component
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-29T20:41:33.360Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37637

cve-icon Vulnrichment

Updated: 2026-06-29T20:41:28.482Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T21:30:03Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')