Home

Description

UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint. Attackers can upload PHP files with the type parameter set to Files and execute arbitrary code by accessing the uploaded file through the working directory path.

PUBLISHED Reserved 2026-04-05 | Published 2026-04-05 | Updated 2026-04-06 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Unrestricted Upload of File with Dangerous Type

Product status

2.0.0
affected

Credits

Mohammad Danish finder

References

www.exploit-db.com/exploits/46389 (ExploitDB-46389) exploit

github.com/UniSharp/laravel-filemanager (Official Product Homepage) product

github.com/UniSharp/laravel-filemanager/issues/356 (Source Code Repository) product

www.vulncheck.com/...le-manager-alpha7-arbitrary-file-upload (VulnCheck Advisory: UniSharp Laravel File Manager v2.0.0-alpha7 Arbitrary File Upload) third-party-advisory

cve.org (CVE-2019-25673)

nvd.nist.gov (CVE-2019-25673)

Download JSON