CVE-2018-20526

CRITICAL EXPLOITED NUCLEI

Roxy Fileman 1.4.5 - Unrestricted File Upload via upload.php

Title source: llm

Exploitation Summary

CVE-2018-20526 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Pongtorn Angsuchotmetee_ Vittawat Masaree. A Nuclei detection template is also available.

AI-analyzed exploit summary The exploit demonstrates path traversal and unrestricted file upload vulnerabilities in Roxy Fileman 1.4.5. Path traversal allows accessing arbitrary files via manipulated variables in copydir.php, copyfile.php, and fileslist.php. Unrestricted file upload enables uploading malicious files with double extensions (e.g., shellcode.php.png) if php.ini is configured with AddHandler php7-script .php.

Description

Roxy Fileman 1.4.5 allows unrestricted file upload in upload.php.

Exploits (1)

exploitdb WORKING POC

by Pongtorn Angsuchotmetee_ Vittawat Masaree · textwebappsphp

https://www.exploit-db.com/exploits/46085

View Code ZIP pw:eip

The exploit demonstrates path traversal and unrestricted file upload vulnerabilities in Roxy Fileman 1.4.5. Path traversal allows accessing arbitrary files via manipulated variables in copydir.php, copyfile.php, and fileslist.php. Unrestricted file upload enables uploading malicious files with double extensions (e.g., shellcode.php.png) if php.ini is configured with AddHandler php7-script .php.

Classification

Working Poc 100%

Attack Type

Info Leak | Rce

Complexity

Trivial

Reliability

Reliable

Target: Roxy Fileman 1.4.5

No auth needed

Prerequisites: Access to the target application · PHP configuration allowing script execution for uploaded files

MITRE ATT&CK

T1006 - Direct Volume Access T1105 - Ingress Tool Transfer

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Roxy Fileman 1.4.5 - Unrestricted File Upload

CRITICALVERIFIEDby DhiyaneshDK

Shodan: http.title:"roxy file manager"

FOFA: title="roxy file manager"

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/151033/Roxy-Fileman-1.4.5-File-Upload-Directory-Traversal.html

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46085/

Scores

CVSS v3 9.8

EPSS 0.7337

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2025-05-27

CWE

CWE-434

Status published

Products (1)

roxyfileman/roxy_fileman 1.4.5

Published Mar 21, 2019

Tracked Since Feb 18, 2026