216.73.217.86

CVE-2025-56399

· Published 28/10/2025 16:15 · Modified 28/10/2025 16:15

Labels: CVE-2025-56399 2025-10-28CVE-2025-56399[email protected]

Essential information

Published
28/10/2025 16:15
Modified
28/10/2025 16:15
Author
Creator
CISA KEV
No
CWE

Description

alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution (RCE) through a crafted file upload. A file with a '.png` extension containing PHP code can be uploaded via the file manager interface. Although the upload appears to fail client-side validation, the file is still saved on the server. The attacker can then use the rename API to change the file extension to `.php`, and upon accessing it via a public URL, the server executes the embedded code.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
alexusmai / laravel-file-manager cpe:2.3:a:alexusmai:laravel-file-manager:*:*:*:*:*:*:*:*

References