CVE-2022-40734

MEDIUM EXPLOITED IN THE WILD NUCLEI

UniSharp Laravel Filemanager < 2.6.4 - Path Traversal via Download Endpoint

Title source: llm

Exploitation Summary

CVE-2022-40734 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). A Nuclei detection template is also available.

Description

UniSharp laravel-filemanager (aka Laravel Filemanager) before 2.6.4 allows download?working_dir=%2F.. directory traversal to read arbitrary files, as exploited in the wild in June 2022. This is related to league/flysystem before 2.0.0.

Nuclei Templates (1)

Laravel Filemanager v2.5.1 - Local File Inclusion

MEDIUMVERIFIEDby arafatansari

Shodan: http.html:"Laravel Filemanager" || http.html:"laravel filemanager"

FOFA: body="laravel filemanager"

References (3)

Core 3

Core References

Exploit, Issue Tracking, Third Party Advisory

https://github.com/UniSharp/laravel-filemanager/issues/1150

Issue Tracking

https://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1320186966

Issue Tracking

https://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1825310417

Scores

CVSS v3 6.5

EPSS 0.0401

EPSS Percentile 89.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2022-09-14

InTheWild.io 2022-09-14

CWE

CWE-22

Status published

Products (2)

unisharp/laravel-filemanager 0 - 2.6.4Packagist

unisharp/laravel_filemanager < 2.5.1

Published Sep 14, 2022

Tracked Since Feb 18, 2026