Description
Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution. 

This project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release 9.14.0
Published: 2026-06-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Responsive FileManager, where an unauthenticated attacker can upload any file type through the dialog.php endpoint. The upload validation is absent, resulting in remote code execution by placing malicious scripts or executables in the web root. Because the attacker does not need authentication, any user with network access to the web application can exploit it. The weakness corresponds to CWE‑434, Remote Code Execution through Unvalidated File Upload.

Affected Systems

Affected are installations of Tecrail Responsive FileManager version 9.14.0, the latest release at the time of assignment. The project is no longer maintained, so no official patches are available from the original vendor. Any deployment using the open‑source package as provided will be vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating critical severity. EPSS is not available, so historical exploitation data is unknown, and it is not listed in CISA KEV. Because the flaw is unauthenticated and exposed via a web endpoint, exploitation can occur over the public network, making it readily actionable. Attackers need only send a crafted upload request; no additional prerequisites are mentioned.

Generated by OpenCVE AI on June 15, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Remove or disable the dialog.php upload endpoint to block file uploads.
  • Implement strict server‑side validation to allow only whitelisted MIME types and file extensions, rejecting all other uploads.
  • Configure the web server or use a web application firewall to prohibit execution of uploaded files and enforce directory access restrictions.
  • Consider migrating to a maintained alternative or fork of Responsive FileManager that includes proper upload controls.

Generated by OpenCVE AI on June 15, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Tecrail
Tecrail responsive Filemanager
Vendors & Products Tecrail
Tecrail responsive Filemanager

Mon, 15 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution.  This project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release 9.14.0
Title Remote Code Execution via Unrestricted File Upload in Responsive FileManager
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}


Subscriptions

Tecrail Responsive Filemanager
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-15T12:32:39.368Z

Reserved: 2026-04-03T09:53:14.018Z

Link: CVE-2026-5482

cve-icon Vulnrichment

Updated: 2026-06-15T12:32:35.432Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T12:16:25.947

Modified: 2026-06-16T15:41:12.897

Link: CVE-2026-5482

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T13:30:05Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type