CVE-2019-19731

HIGH

Roxy Fileman 1.4.5 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-19731. PoCs published by Patrik Lantz.

AI-analyzed exploit summary This exploit demonstrates a directory traversal vulnerability in Roxy Fileman 1.4.5 for .NET, allowing an attacker to write arbitrary files to sensitive locations (e.g., Startup folder) via the RENAMEFILE action. The PoC includes steps to upload a crafted .lnk file and rename it to achieve persistence.

Description

Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal. A remote attacker can write uploaded files to arbitrary locations via the RENAMEFILE action. This can be leveraged for code execution by uploading a specially crafted Windows shortcut file and writing the file to the Startup folder (because an incomplete blacklist of file extensions allows Windows shortcut files to be uploaded).

Exploits (1)

exploitdb WORKING POC
by Patrik Lantz · textwebappsaspx
https://www.exploit-db.com/exploits/47777

This exploit demonstrates a directory traversal vulnerability in Roxy Fileman 1.4.5 for .NET, allowing an attacker to write arbitrary files to sensitive locations (e.g., Startup folder) via the RENAMEFILE action. The PoC includes steps to upload a crafted .lnk file and rename it to achieve persistence.

Classification
Working Poc 100%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Roxy Fileman 1.4.5 for .NET
No auth needed
Prerequisites: Access to the Roxy Fileman web interface · IIS worker process with sufficient privileges
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Release Notes x_refsource_misc
http://www.roxyfileman.com/download

Scores

CVSS v3 7.5
EPSS 0.1162
EPSS Percentile 95.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-22
Status published
Products (1)
roxyfileman/roxy_fileman 1.4.5
Published Dec 16, 2019
Tracked Since Feb 18, 2026