CVE-2021-45010

HIGH

Tiny File Manager < 2.4.7 - Authenticated Path Traversal and Remote Code Execution via File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2021-45010. PoCs published by FEBIN MON SAJI, BKreisel, Syd-SydneyJr.

AI-analyzed exploit summary This exploit targets Tiny File Manager <= 2.4.6, leveraging an authenticated RCE vulnerability (CVE-2021-40964) by uploading a malicious PHP shell via path traversal. It includes steps for authentication, webroot discovery, and shell execution.

Description

A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution.

Exploits (4)

exploitdb WORKING POC
by FEBIN MON SAJI · bashwebappsphp
https://www.exploit-db.com/exploits/50828

This exploit targets Tiny File Manager <= 2.4.6, leveraging an authenticated RCE vulnerability (CVE-2021-40964) by uploading a malicious PHP shell via path traversal. It includes steps for authentication, webroot discovery, and shell execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Tiny File Manager <= 2.4.6
Auth required
Prerequisites: valid admin credentials · curl and jq installed · target URL accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by BKreisel · poc
https://github.com/BKreisel/CVE-2021-45010

This is a functional Python-based exploit for CVE-2021-45010, targeting Tiny File Manager versions below 2.4.7. It leverages a directory traversal vulnerability to upload a PHP webshell, enabling remote command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Tiny File Manager < 2.4.7
Auth required
Prerequisites: Valid credentials for Tiny File Manager · Network access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Syd-SydneyJr · poc
https://github.com/Syd-SydneyJr/CVE-2021-45010

This is a functional exploit for CVE-2021-45010, targeting Tiny File Manager <= 2.4.3. It authenticates, uploads a PHP shell, and provides interactive command execution via a reverse shell mechanism.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Tiny File Manager <= 2.4.3
Auth required
Prerequisites: Valid credentials for Tiny File Manager · Network access to the target · PHP execution capabilities on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by dugisan3rd · pythonpoc
https://github.com/dugisan3rd/exploit/tree/main/cve-2021-45010

This repository contains a functional Python exploit for CVE-2021-45010, which leverages a Local File Inclusion (LFI) vulnerability in Tiny File Manager before 2.4.7 to achieve Remote Code Execution (RCE). The exploit authenticates, uploads a malicious PHP file via path traversal, and executes arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Tiny File Manager <= 2.4.6
Auth required
Prerequisites: valid credentials · writeable directory in webroot
devstral-2 · analyzed Apr 29, 2026 Full analysis →

References (8)

Core 8
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/prasathmani/tinyfilemanager/pull/636
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html

Scores

CVSS v3 8.8
EPSS 0.8104
EPSS Percentile 99.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-22
Status published
Products (1)
prasathmani/tiny_file_manager < 2.4.7
Published Mar 15, 2022
Tracked Since Feb 18, 2026