CVE-2022-40490

MEDIUM

Tiny File Manager < 2.4.7 - Stored Cross-Site Scripting via File Name

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-40490. PoCs published by whitej3rry.

AI-analyzed exploit summary This repository documents a Cross-Site Scripting (XSS) vulnerability in Tiny File Manager v2.4.7, where crafted filenames can execute arbitrary JavaScript when browsed. The PoC includes screenshots demonstrating the exploit but lacks executable code.

Description

Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file.

Exploits (1)

nomisec WRITEUP 1 stars

by whitej3rry · poc

https://github.com/whitej3rry/CVE-2022-40490

View Code ZIP pw:eip

This repository documents a Cross-Site Scripting (XSS) vulnerability in Tiny File Manager v2.4.7, where crafted filenames can execute arbitrary JavaScript when browsed. The PoC includes screenshots demonstrating the exploit but lacks executable code.

Classification

Writeup 80%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Tiny File Manager v2.4.7

No auth needed

Prerequisites: Ability to upload or create files with crafted names on the server

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Product

https://github.com/prasathmani/tinyfilemanager

Exploit, Third Party Advisory

https://github.com/whitej3rry/CVE-2022-40490/blob/main/PoC.md

View Exploit ZIP pw:eip

Scores

CVSS v3 4.8

EPSS 0.0037

EPSS Percentile 29.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

prasathmani/tiny_file_manager < 2.4.7

Published Feb 06, 2025

Tracked Since Feb 18, 2026