Impact
The vulnerability resides in Responsive FileManager, where an unauthenticated attacker can upload any file type through the dialog.php endpoint. The upload validation is absent, resulting in remote code execution by placing malicious scripts or executables in the web root. Because the attacker does not need authentication, any user with network access to the web application can exploit it. The weakness corresponds to CWE‑434, Remote Code Execution through Unvalidated File Upload.
Affected Systems
Affected are installations of Tecrail Responsive FileManager version 9.14.0, the latest release at the time of assignment. The project is no longer maintained, so no official patches are available from the original vendor. Any deployment using the open‑source package as provided will be vulnerable.
Risk and Exploitability
The vulnerability carries a CVSS score of 9.3, indicating critical severity. EPSS is not available, so historical exploitation data is unknown, and it is not listed in CISA KEV. Because the flaw is unauthenticated and exposed via a web endpoint, exploitation can occur over the public network, making it readily actionable. Attackers need only send a crafted upload request; no additional prerequisites are mentioned.
OpenCVE Enrichment