Description
A vulnerability was found in prasathmani TinyFileManager up to 2.6. Affected is an unknown function of the file /filemanager.php of the component POST Parameter Handler. The manipulation of the argument file[] results in path traversal. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Path Traversal – Arbitrary File Access
Action: Apply Patch
AI Analysis

Impact

A path‑traversal flaw exists in prasathmani TinyFileManager versions up to 2.6. The vulnerability is triggered through manipulation of the POST parameter file[] in the filemanager.php handler. By sending specially crafted values containing directory traversal sequences, an attacker can cause the server to resolve paths outside the intended directory, potentially reading arbitrary files from the filesystem. The flaw is exploitable remotely, and a public exploit has been released, demonstrating the practical risk to deployed instances.

Affected Systems

The affected component is prasathmani TinyFileManager, any installation where the filemanager.php handler is exposed, specifically versions up to 2.6. No earlier versions have been indicated or patched by the vendor.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed large‑scale exploitation yet. The attack vector is likely a remote HTTP POST request to filemanager.php with a crafted file[] parameter. Successful exploitation would grant the attacker read access to files on the server, potentially exposing sensitive data or configuration files. The vulnerability does not inherently provide code execution but could be leveraged in a broader compromise if sensitive files are read or if an attacker later injects code via other channels.

Generated by OpenCVE AI on April 18, 2026 at 09:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TinyFileManager to a version that includes a fix for the file[] input handling, if a vendor patch has been released.
  • Sanitize the file[] parameter server‑side by rejecting any value that contains '..' or absolute path indicators and restricting the allowed characters to safe path fragments.
  • Restrict access to filemanager.php by requiring proper authentication and authorisation, and consider disabling or removing the filemanager module if it is not required for production use.

Generated by OpenCVE AI on April 18, 2026 at 09:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Prasathmani
Prasathmani tiny File Manager
Vendors & Products Prasathmani
Prasathmani tiny File Manager

Fri, 17 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in prasathmani TinyFileManager up to 2.6. Affected is an unknown function of the file /filemanager.php of the component POST Parameter Handler. The manipulation of the argument file[] results in path traversal. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title prasathmani TinyFileManager POST Parameter filemanager.php path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 5.5, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Prasathmani Tiny File Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-17T16:35:16.121Z

Reserved: 2026-04-17T08:39:23.244Z

Link: CVE-2026-6496

cve-icon Vulnrichment

Updated: 2026-04-17T16:35:11.876Z

cve-icon NVD

Status : Deferred

Published: 2026-04-17T15:16:52.480

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:30:25Z

Weaknesses