Thanakorn Boontem

8 exploits Active since Jul 2025
CVE-2025-56399 NOMISEC HIGH WRITEUP
alexusmai laravel-file-manager <3.3.1 - Authenticated RCE
alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution (RCE) through a crafted file upload. A file with a '.png` extension containing PHP code can be uploaded via the file manager interface. Although the upload appears to fail client-side validation, the file is still saved on the server. The attacker can then use the rename API to change the file extension to `.php`, and upon accessing it via a public URL, the server executes the embedded code.
3 stars
CVSS 8.8
CVE-2025-63307 NOMISEC HIGH WRITEUP
alexusmai laravel-file-manager 3.3.1 - XSS
alexusmai laravel-file-manager 3.3.1 is vulnerable to Cross Site Scripting (XSS). The application permits user-controlled upload, create, and rename of files to HTML and SVG types and serves those files inline without adequate content-type validation or output sanitization.
1 stars
CVSS 8.1
CVE-2025-65345 NOMISEC MEDIUM WRITEUP
alexusmai/laravel-file-manager < 3.3.1 - Directory Traversal via Zip Archive Functionality
alexusmai laravel-file-manager 3.3.1 and below is vulnerable to Directory Traversal. The zip/archiving functionality allows an attacker to create archives containing files and directories outside the intended scope due to improper path validation.
CVSS 6.5
CVE-2025-46001 WRITEUP CRITICAL WRITEUP
simogeo Filemanager 2.3.0 - Arbitrary File Upload via is_allowed_file_type() Function
An arbitrary file upload vulnerability in the is_allowed_file_type() function of Filemanager v2.3.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVSS 9.8
CVE-2025-46002 WRITEUP MEDIUM WRITEUP
simogeo filemanager <= 2.5.0 - Directory Traversal via filemanager.php Endpoint
An issue in Filemanager v2.5.0 and below allows attackers to execute a directory traversal via sending a crafted HTTP request to the filemanager.php endpoint.
CVSS 6.5
CVE-2025-63307 WRITEUP HIGH WRITEUP
alexusmai laravel-file-manager 3.3.1 - XSS
alexusmai laravel-file-manager 3.3.1 is vulnerable to Cross Site Scripting (XSS). The application permits user-controlled upload, create, and rename of files to HTML and SVG types and serves those files inline without adequate content-type validation or output sanitization.
CVSS 8.1
CVE-2025-46000 WRITEUP MEDIUM WRITEUP
simogeo Filemanager < 2.5.0 - Arbitrary File Upload and Remote Code Execution via SVG File
An arbitrary file upload vulnerability in the component /rsc/filemanager.rsc.class.php of Filemanager commit c75b914 v.2.5.0 allows attackers to execute arbitrary code via uploading a crafted SVG file.
CVSS 6.5
CVE-2025-63307 WRITEUP HIGH WRITEUP
alexusmai laravel-file-manager 3.3.1 - XSS
alexusmai laravel-file-manager 3.3.1 is vulnerable to Cross Site Scripting (XSS). The application permits user-controlled upload, create, and rename of files to HTML and SVG types and serves those files inline without adequate content-type validation or output sanitization.
CVSS 8.1