Description
In Tiny File Manager before 2.3.9, there is a remote code execution via Upload from URL and Edit/Rename files. Only authenticated users are impacted.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/prasathmani/tinyfilemanager/security/advisories/GHSA-w72h-v37j-rrwr
Scores
CVSS v3
6.5
EPSS
0.0217
EPSS Percentile
84.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Details
CWE
CWE-78
CWE-434
Status
published
Products (1)
prasathmani/tiny_file_manager
< 2.3.9
Published
Dec 30, 2019
Tracked Since
Feb 18, 2026